diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 000000000..a8120b997 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# These owners are the maintainers and approvers of this repo +* @open-policy-agent/gatekeeper-library-maintainers diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 30f774173..d240b81a6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,16 +41,16 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - name: Checkout repository - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8 + uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8 + uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +73,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8 + uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 4df80eaec..97b8bb8d3 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,11 +17,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' - uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0 + uses: actions/dependency-review-action@fde92acd0840415674c16b39c7d703fc28bc511e # v3.1.2 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 252797e62..53fec756d 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -31,17 +31,17 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8 + uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: sarif_file: results.sarif diff --git a/.github/workflows/scripts.yaml b/.github/workflows/scripts.yaml index 5b22831ee..d0983b833 100644 --- a/.github/workflows/scripts.yaml +++ b/.github/workflows/scripts.yaml @@ -26,7 +26,7 @@ jobs: with: go-version: '1.20' cache: false - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: golangci-lint uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml index 0008b7b2b..083ff7685 100644 --- a/.github/workflows/website.yaml +++ b/.github/workflows/website.yaml @@ -25,14 +25,14 @@ jobs: working-directory: website steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Node - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 with: node-version: "16" diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index ddad2fc4b..e515d5184 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest name: "Test scripts" steps: - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Unit test run: | make unit-test @@ -26,11 +26,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Generate templates and docs run: | make generate generate-website-docs generate-artifacthub-artifacts @@ -49,11 +49,11 @@ jobs: name: Unit test on ${{ matrix.os }} opa ${{ matrix.opa }} steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: | binary=$([[ "$OSTYPE" == "darwin"* ]] && echo "opa_darwin_amd64" || echo "opa_linux_amd64") sudo curl -L -o /usr/local/bin/opa https://github.com/open-policy-agent/opa/releases/download/${{ matrix.opa }}/$binary @@ -65,16 +65,16 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - gatekeeper: [ "release-3.13", "release-3.12" ] + gatekeeper: [ "release-3.13", "release-3.14" ] name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }}" steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - name: Check out code into the Go module directory - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Bootstrap integration test run: | @@ -104,11 +104,11 @@ jobs: name: "Require a suite.yaml file alongside every template.yaml" steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run script run: | make require-suites @@ -117,11 +117,11 @@ jobs: name: "Require a sync.yaml file and metadata.gatekeeper.sh/requires-sync-data annotation for every template.yaml using data.inventory" steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run script run: | make require-sync @@ -130,10 +130,10 @@ jobs: name: "Verify assertions in suite.yaml files" steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: | make verify-gator-dockerized diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..e0c4caf20 --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspautomountserviceaccounttokenpod +displayName: Automount Service Account Token for Pod +createdAt: "2023-05-23T09:47:24Z" +description: Controls the ability of any Pod to enable automountServiceAccountToken. +digest: 8b62e4b2324e9e60a66008e6edcc327bcd2b531d3a905f10bf25a1671079ce6e +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/automount-serviceaccount-token +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Automount Service Account Token for Pod + Controls the ability of any Pod to enable automountServiceAccountToken. +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml new file mode 100644 index 000000000..1f70295fd --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml @@ -0,0 +1,10 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPAutomountServiceAccountTokenPod +metadata: + name: psp-automount-serviceaccount-token-pod +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + excludedNamespaces: ["kube-system"] diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml new file mode 100644 index 000000000..7ceba9c34 --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-automountserviceaccounttoken-allowed + labels: + app: nginx-not-automountserviceaccounttoken +spec: + automountServiceAccountToken: false + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml new file mode 100644 index 000000000..6184264ec --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-automountserviceaccounttoken-disallowed + labels: + app: nginx-automountserviceaccounttoken +spec: + automountServiceAccountToken: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml new file mode 100644 index 000000000..0e9030f27 --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml @@ -0,0 +1,16 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-automountserviceaccounttoken-update + labels: + app: nginx-automountserviceaccounttoken + spec: + automountServiceAccountToken: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml new file mode 100644 index 000000000..cf257d08f --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: automount-serviceaccount-token +tests: + - name: automount-serviceaccount-token + template: template.yaml + constraint: samples/automount-serviceaccount-token/constraint.yaml + cases: + - name: example-allowed + object: samples/automount-serviceaccount-token/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/automount-serviceaccount-token/example_disallowed.yaml + assertions: + - violations: yes + - name: update + object: samples/automount-serviceaccount-token/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml new file mode 100644 index 000000000..82e69ff9c --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml @@ -0,0 +1,66 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspautomountserviceaccounttokenpod + annotations: + metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls the ability of any Pod to enable automountServiceAccountToken. +spec: + crd: + spec: + names: + kind: K8sPSPAutomountServiceAccountTokenPod + validation: + openAPIV3Schema: + type: object + description: >- + Controls the ability of any Pod to enable automountServiceAccountToken. + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sautomountserviceaccounttoken + + import data.lib.exclude_update.is_update + + violation[{"msg": msg}] { + # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. + not is_update(input.review) + + obj := input.review.object + mountServiceAccountToken(obj.spec) + msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name]) + } + + mountServiceAccountToken(spec) { + spec.automountServiceAccountToken == true + } + + # if there is no automountServiceAccountToken spec, check on volumeMount in containers. Service Account token is mounted on /var/run/secrets/kubernetes.io/serviceaccount + # https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller + mountServiceAccountToken(spec) { + not has_key(spec, "automountServiceAccountToken") + "/var/run/secrets/kubernetes.io/serviceaccount" == input_containers[_].volumeMounts[_].mountPath + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + } + + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + + # Ephemeral containers not checked as it is not possible to set field. + + has_key(x, k) { + _ = x[k] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..d9b57afb0 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,25 @@ +version: 1.0.1 +name: k8scontainerephemeralstoragelimit +displayName: Container ephemeral storage limit +createdAt: "2023-05-23T09:47:27Z" +description: |- + Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +digest: 84077f1dbcdcab9a7c20710e82299995e44294fccdb1a5b9de63fb5a5032a6d8 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/ephemeralstoragelimit +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Container ephemeral storage limit + Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml new file mode 100644 index 000000000..4575bdf60 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml @@ -0,0 +1,11 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sContainerEphemeralStorageLimit +metadata: + name: container-ephemeral-storage-limit +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + ephemeral-storage: "500Mi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml new file mode 100644 index 000000000..fe1b7bac0 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo +spec: + initContainers: + - name: init-opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "100Mi" + + + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "100Mi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml new file mode 100644 index 000000000..3c1f5ce9e --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo +spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + + ephemeral-storage: "100Mi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml new file mode 100644 index 000000000..05d512d3c --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo +spec: + initContainers: + - name: init-opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "1Pi" + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "100Mi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml new file mode 100644 index 000000000..7dae0395b --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo +spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + + ephemeral-storage: "1Pi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml new file mode 100644 index 000000000..6e81b1118 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo +spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "2Gi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml new file mode 100644 index 000000000..c0ff27893 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml @@ -0,0 +1,24 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "1Pi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml new file mode 100644 index 000000000..a6b99410d --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml @@ -0,0 +1,33 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: ephemeral-storage-limit +tests: +- name: ephemeral-storage-limit + template: template.yaml + constraint: samples/container-must-have-ephemeral-storage-limit/constraint.yaml + cases: + - name: ephemeral-storage-limit-100Mi + object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml + assertions: + - violations: no + - name: ephemeral-storage-limit-initContainer-100Mi + object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml + assertions: + - violations: no + - name: ephemeral-storage-limit-unspecified + object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml + assertions: + - violations: yes + - name: ephemeral-storage-limit-1Pi + object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml + assertions: + - violations: yes + - name: ephemeral-storage-limit-initContainer-1Pi + object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml + assertions: + - violations: yes + - name: ephemeral-storage-limit-update + object: samples/container-must-have-ephemeral-storage-limit/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml new file mode 100644 index 000000000..2f7bf1b2b --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml @@ -0,0 +1,232 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8scontainerephemeralstoragelimit + annotations: + metadata.gatekeeper.sh/title: "Container ephemeral storage limit" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Requires containers to have an ephemeral storage limit set and constrains + the limit to be within the specified maximum values. + + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +spec: + crd: + spec: + names: + kind: K8sContainerEphemeralStorageLimit + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + ephemeral-storage: + description: "The maximum allowed ephemeral storage limit on a Pod, exclusive." + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8scontainerephemeralstoragelimit + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + missing(obj, field) = true { + not obj[field] + } + + missing(obj, field) = true { + obj[field] == "" + } + + has_field(object, field) = true { + object[field] + } + + # 10 ** 21 + storage_multiple("E") = 1000000000000000000000 { true } + + # 10 ** 18 + storage_multiple("P") = 1000000000000000000 { true } + + # 10 ** 15 + storage_multiple("T") = 1000000000000000 { true } + + # 10 ** 12 + storage_multiple("G") = 1000000000000 { true } + + # 10 ** 9 + storage_multiple("M") = 1000000000 { true } + + # 10 ** 6 + storage_multiple("k") = 1000000 { true } + + # 10 ** 3 + storage_multiple("") = 1000 { true } + + # Kubernetes accepts millibyte precision when it probably shouldn't. + # https://github.com/kubernetes/kubernetes/issues/28741 + # 10 ** 0 + storage_multiple("m") = 1 { true } + + # 1000 * 2 ** 10 + storage_multiple("Ki") = 1024000 { true } + + # 1000 * 2 ** 20 + storage_multiple("Mi") = 1048576000 { true } + + # 1000 * 2 ** 30 + storage_multiple("Gi") = 1073741824000 { true } + + # 1000 * 2 ** 40 + storage_multiple("Ti") = 1099511627776000 { true } + + # 1000 * 2 ** 50 + storage_multiple("Pi") = 1125899906842624000 { true } + + # 1000 * 2 ** 60 + storage_multiple("Ei") = 1152921504606846976000 { true } + + get_suffix(storage) = suffix { + not is_string(storage) + suffix := "" + } + + get_suffix(storage) = suffix { + is_string(storage) + count(storage) > 0 + suffix := substring(storage, count(storage) - 1, -1) + storage_multiple(suffix) + } + + get_suffix(storage) = suffix { + is_string(storage) + count(storage) > 1 + suffix := substring(storage, count(storage) - 2, -1) + storage_multiple(suffix) + } + + get_suffix(storage) = suffix { + is_string(storage) + count(storage) > 1 + not storage_multiple(substring(storage, count(storage) - 1, -1)) + not storage_multiple(substring(storage, count(storage) - 2, -1)) + suffix := "" + } + + get_suffix(storage) = suffix { + is_string(storage) + count(storage) == 1 + not storage_multiple(substring(storage, count(storage) - 1, -1)) + suffix := "" + } + + get_suffix(storage) = suffix { + is_string(storage) + count(storage) == 0 + suffix := "" + } + + canonify_storage(orig) = new { + is_number(orig) + new := orig * 1000 + } + + canonify_storage(orig) = new { + not is_number(orig) + suffix := get_suffix(orig) + raw := replace(orig, suffix, "") + re_match("^[0-9]+(\\.[0-9]+)?$", raw) + new := to_number(raw) * storage_multiple(suffix) + } + + violation[{"msg": msg}] { + # spec.containers.resources.limits["ephemeral-storage"] field is immutable. + not is_update(input.review) + + general_violation[{"msg": msg, "field": "containers"}] + } + + violation[{"msg": msg}] { + not is_update(input.review) + general_violation[{"msg": msg, "field": "initContainers"}] + } + + # Ephemeral containers not checked as it is not possible to set field. + + general_violation[{"msg": msg, "field": field}] { + container := input.review.object.spec[field][_] + not is_exempt(container) + storage_orig := container.resources.limits["ephemeral-storage"] + not canonify_storage(storage_orig) + msg := sprintf("container <%v> ephemeral-storage limit <%v> could not be parsed", [container.name, storage_orig]) + } + + general_violation[{"msg": msg, "field": field}] { + container := input.review.object.spec[field][_] + not is_exempt(container) + not container.resources + msg := sprintf("container <%v> has no resource limits", [container.name]) + } + + general_violation[{"msg": msg, "field": field}] { + container := input.review.object.spec[field][_] + not is_exempt(container) + not container.resources.limits + msg := sprintf("container <%v> has no resource limits", [container.name]) + } + + general_violation[{"msg": msg, "field": field}] { + container := input.review.object.spec[field][_] + not is_exempt(container) + missing(container.resources.limits, "ephemeral-storage") + msg := sprintf("container <%v> has no ephemeral-storage limit", [container.name]) + } + + general_violation[{"msg": msg, "field": field}] { + container := input.review.object.spec[field][_] + not is_exempt(container) + storage_orig := container.resources.limits["ephemeral-storage"] + storage := canonify_storage(storage_orig) + max_storage_orig := input.parameters["ephemeral-storage"] + max_storage := canonify_storage(max_storage_orig) + storage > max_storage + msg := sprintf("container <%v> ephemeral-storage limit <%v> is higher than the maximum allowed of <%v>", [container.name, storage_orig, max_storage_orig]) + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..e176a3b0d --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8srequiredprobes +displayName: Required Probes +createdAt: "2023-05-23T09:47:30Z" +description: Requires Pods to have readiness and/or liveness probes. +digest: 217bec367754aadcce3929828825aca968030e4219045d659553a9cc0173d18d +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/requiredprobes +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Required Probes + Requires Pods to have readiness and/or liveness probes. +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/requiredprobes/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/general/requiredprobes/1.0.1/kustomization.yaml b/artifacthub/library/general/requiredprobes/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/constraint.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/constraint.yaml new file mode 100644 index 000000000..84fde016a --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/constraint.yaml @@ -0,0 +1,12 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredProbes +metadata: + name: must-have-probes +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + probes: ["readinessProbe", "livenessProbe"] + probeTypes: ["tcpSocket", "httpGet", "exec"] diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_allowed.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_allowed.yaml new file mode 100644 index 000000000..4248b67dd --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_allowed.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod1 +spec: + containers: + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 5 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed.yaml new file mode 100644 index 000000000..6db251904 --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod1 +spec: + containers: + - name: nginx-1 + image: nginx:1.7.9 + ports: + - containerPort: 80 + livenessProbe: + # tcpSocket: + # port: 80 + # initialDelaySeconds: 5 + # periodSeconds: 10 + volumeMounts: + - mountPath: /tmp/cache + name: cache-volume + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed2.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed2.yaml new file mode 100644 index 000000000..6e0536487 --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed2.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod2 +spec: + containers: + - name: nginx-1 + image: nginx:1.7.9 + ports: + - containerPort: 80 + readinessProbe: + # httpGet: + # path: / + # port: 80 + # initialDelaySeconds: 5 + # periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 5 + periodSeconds: 10 + volumeMounts: + - mountPath: /tmp/cache + name: cache-volume + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + # livenessProbe: + # tcpSocket: + # port: 8080 + # initialDelaySeconds: 5 + # periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/update.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/update.yaml new file mode 100644 index 000000000..ff5e91103 --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/update.yaml @@ -0,0 +1,35 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: test-pod1 + spec: + containers: + - name: nginx-1 + image: nginx:1.7.9 + ports: + - containerPort: 80 + livenessProbe: + # tcpSocket: + # port: 80 + # initialDelaySeconds: 5 + # periodSeconds: 10 + volumeMounts: + - mountPath: /tmp/cache + name: cache-volume + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} diff --git a/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml b/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml new file mode 100644 index 000000000..86c2a229e --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml @@ -0,0 +1,25 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: requiredprobes +tests: +- name: required-probes + template: template.yaml + constraint: samples/must-have-probes/constraint.yaml + cases: + - name: example-allowed + object: samples/must-have-probes/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/must-have-probes/example_disallowed.yaml + assertions: + - violations: yes + - name: example-disallowed2 + object: samples/must-have-probes/example_disallowed2.yaml + assertions: + - violations: yes + - name: update + object: samples/must-have-probes/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/general/requiredprobes/1.0.1/template.yaml b/artifacthub/library/general/requiredprobes/1.0.1/template.yaml new file mode 100644 index 000000000..4115a6d98 --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/template.yaml @@ -0,0 +1,72 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8srequiredprobes + annotations: + metadata.gatekeeper.sh/title: "Required Probes" + metadata.gatekeeper.sh/version: 1.0.1 + description: Requires Pods to have readiness and/or liveness probes. +spec: + crd: + spec: + names: + kind: K8sRequiredProbes + validation: + openAPIV3Schema: + type: object + properties: + probes: + description: "A list of probes that are required (ex: `readinessProbe`)" + type: array + items: + type: string + probeTypes: + description: "The probe must define a field listed in `probeType` in order to satisfy the constraint (ex. `tcpSocket` satisfies `['tcpSocket', 'exec']`)" + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8srequiredprobes + + import data.lib.exclude_update.is_update + + probe_type_set = probe_types { + probe_types := {type | type := input.parameters.probeTypes[_]} + } + + violation[{"msg": msg}] { + # Probe fields are immutable. + not is_update(input.review) + + container := input.review.object.spec.containers[_] + probe := input.parameters.probes[_] + probe_is_missing(container, probe) + msg := get_violation_message(container, input.review, probe) + } + + probe_is_missing(ctr, probe) = true { + not ctr[probe] + } + + probe_is_missing(ctr, probe) = true { + probe_field_empty(ctr, probe) + } + + probe_field_empty(ctr, probe) = true { + probe_fields := {field | ctr[probe][field]} + diff_fields := probe_type_set - probe_fields + count(diff_fields) == count(probe_type_set) + } + + get_violation_message(container, review, probe) = msg { + msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe]) + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/artifacthub/library/general/verifydeprecatedapi/1.0.0/samples/verify-1.22/constraint.yaml b/artifacthub/library/general/verifydeprecatedapi/1.0.0/samples/verify-1.22/constraint.yaml index 637f08079..02b669174 100644 --- a/artifacthub/library/general/verifydeprecatedapi/1.0.0/samples/verify-1.22/constraint.yaml +++ b/artifacthub/library/general/verifydeprecatedapi/1.0.0/samples/verify-1.22/constraint.yaml @@ -25,9 +25,9 @@ spec: kinds: ["IngressClass"] - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["ClusterRole", "ClusterRoleBinding", "Role", "RoleBinding"] - - apiGroups: ["scheduling.k8s.io/v1beta1"] + - apiGroups: ["scheduling.k8s.io"] kinds: ["PriorityClass"] - - apiGroups: ["storage.k8s.io/v1beta1"] + - apiGroups: ["storage.k8s.io"] kinds: ["CSIDriver", "CSINode", "StorageClass", "VolumeAttachment"] parameters: kvs: diff --git a/artifacthub/library/general/verifydeprecatedapi/1.0.0/samples/verify-1.25/constraint.yaml b/artifacthub/library/general/verifydeprecatedapi/1.0.0/samples/verify-1.25/constraint.yaml index 34a2fbba0..bf1a64e01 100644 --- a/artifacthub/library/general/verifydeprecatedapi/1.0.0/samples/verify-1.25/constraint.yaml +++ b/artifacthub/library/general/verifydeprecatedapi/1.0.0/samples/verify-1.25/constraint.yaml @@ -15,8 +15,10 @@ spec: kinds: ["HorizontalPodAutoscaler"] - apiGroups: ["policy"] kinds: ["PodDisruptionBudget", "PodSecurityPolicy"] + - apiGroups: ["node.k8s.io"] + kinds: ["RuntimeClass"] parameters: - kvs: + kvs: - deprecatedAPI: "batch/v1beta1" kinds: ["CronJob"] targetAPI: "batch/v1" diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..c9378d2b9 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspallowprivilegeescalationcontainer +displayName: Allow Privilege Escalation in Container +createdAt: "2023-05-23T09:47:31Z" +description: Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation +digest: a3c63022c554318dcc9589828a7b135c80740772375b071dfc0625fdaea91f66 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allow-privilege-escalation +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Allow Privilege Escalation in Container + Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/constraint.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/constraint.yaml new file mode 100644 index 000000000..fdc05a1c0 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/constraint.yaml @@ -0,0 +1,9 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPAllowPrivilegeEscalationContainer +metadata: + name: psp-allow-privilege-escalation-container +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml new file mode 100644 index 000000000..5992f96b3 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: true diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_allowed.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_allowed.yaml new file mode 100644 index 000000000..26c8dd879 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privilege-escalation-allowed + labels: + app: nginx-privilege-escalation +spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: false diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml new file mode 100644 index 000000000..d3648d2f2 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation +spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: true diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/update.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/update.yaml new file mode 100644 index 000000000..a79d40a1b --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation + spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: true diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml new file mode 100644 index 000000000..cd7531cfa --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml @@ -0,0 +1,25 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: allow-privilege-escalation +tests: + - name: allow-privilege-escalation + template: template.yaml + constraint: samples/psp-allow-privilege-escalation-container/constraint.yaml + cases: + - name: example-allowed + object: samples/psp-allow-privilege-escalation-container/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/psp-allow-privilege-escalation-container/example_disallowed.yaml + assertions: + - violations: yes + - name: disallowed-ephemeral + object: samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-allow-privilege-escalation-container/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml new file mode 100644 index 000000000..a7f4694a2 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml @@ -0,0 +1,100 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspallowprivilegeescalationcontainer + annotations: + metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls restricting escalation to root privileges. Corresponds to the + `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation +spec: + crd: + spec: + names: + kind: K8sPSPAllowPrivilegeEscalationContainer + validation: + openAPIV3Schema: + type: object + description: >- + Controls restricting escalation to root privileges. Corresponds to the + `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspallowprivilegeescalationcontainer + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. + not is_update(input.review) + + c := input_containers[_] + not is_exempt(c) + input_allow_privilege_escalation(c) + msg := sprintf("Privilege escalation container is not allowed: %v", [c.name]) + } + + input_allow_privilege_escalation(c) { + not has_field(c, "securityContext") + } + input_allow_privilege_escalation(c) { + not c.securityContext.allowPrivilegeEscalation == false + } + input_containers[c] { + c := input.review.object.spec.containers[_] + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..0ffac5139 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspcapabilities +displayName: Capabilities +createdAt: "2023-05-23T09:47:31Z" +description: Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities +digest: 140a62f0c286b67c659beb12c38186e4071495f00d1deca606a9df54c3735c44 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/capabilities +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Capabilities + Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/constraint.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/constraint.yaml new file mode 100644 index 000000000..3f856082f --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/constraint.yaml @@ -0,0 +1,14 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPCapabilities +metadata: + name: capabilities-demo +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + namespaces: + - "default" + parameters: + allowedCapabilities: ["something"] + requiredDropCapabilities: ["must_drop"] diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/disallowed_ephemeral.yaml new file mode 100644 index 000000000..5467c826e --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/disallowed_ephemeral.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo +spec: + ephemeralContainers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["disallowedcapability"] + resources: + limits: + cpu: "100m" + memory: "30Mi" diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_allowed.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_allowed.yaml new file mode 100644 index 000000000..41bf6a0ed --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_allowed.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo +spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["something"] + drop: ["must_drop", "another_one"] + resources: + limits: + cpu: "100m" + memory: "30Mi" diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_disallowed.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_disallowed.yaml new file mode 100644 index 000000000..fdd886189 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_disallowed.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo +spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["disallowedcapability"] + resources: + limits: + cpu: "100m" + memory: "30Mi" \ No newline at end of file diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/update.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/update.yaml new file mode 100644 index 000000000..df8ea0070 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/update.yaml @@ -0,0 +1,26 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["disallowedcapability"] + resources: + limits: + cpu: "100m" + memory: "30Mi" diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml new file mode 100644 index 000000000..48c2fcb46 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml @@ -0,0 +1,25 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: capabilities +tests: + - name: capabilities + template: template.yaml + constraint: samples/capabilities-demo/constraint.yaml + cases: + - name: example-disallowed + object: samples/capabilities-demo/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/capabilities-demo/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/capabilities-demo/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/capabilities-demo/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml new file mode 100644 index 000000000..0df32e927 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml @@ -0,0 +1,163 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspcapabilities + annotations: + metadata.gatekeeper.sh/title: "Capabilities" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls Linux capabilities on containers. Corresponds to the + `allowedCapabilities` and `requiredDropCapabilities` fields in a + PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities +spec: + crd: + spec: + names: + kind: K8sPSPCapabilities + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls Linux capabilities on containers. Corresponds to the + `allowedCapabilities` and `requiredDropCapabilities` fields in a + PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + allowedCapabilities: + type: array + description: "A list of Linux capabilities that can be added to a container." + items: + type: string + requiredDropCapabilities: + type: array + description: "A list of Linux capabilities that are required to be dropped from a container." + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package capabilities + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg}] { + # spec.containers.securityContext.capabilities field is immutable. + not is_update(input.review) + + container := input.review.object.spec.containers[_] + not is_exempt(container) + has_disallowed_capabilities(container) + msg := sprintf("container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")]) + } + + violation[{"msg": msg}] { + not is_update(input.review) + container := input.review.object.spec.containers[_] + not is_exempt(container) + missing_drop_capabilities(container) + msg := sprintf("container <%v> is not dropping all required capabilities. Container must drop all of %v or \"ALL\"", [container.name, input.parameters.requiredDropCapabilities]) + } + + + + violation[{"msg": msg}] { + not is_update(input.review) + container := input.review.object.spec.initContainers[_] + not is_exempt(container) + has_disallowed_capabilities(container) + msg := sprintf("init container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")]) + } + + violation[{"msg": msg}] { + not is_update(input.review) + container := input.review.object.spec.initContainers[_] + not is_exempt(container) + missing_drop_capabilities(container) + msg := sprintf("init container <%v> is not dropping all required capabilities. Container must drop all of %v or \"ALL\"", [container.name, input.parameters.requiredDropCapabilities]) + } + + + + violation[{"msg": msg}] { + not is_update(input.review) + container := input.review.object.spec.ephemeralContainers[_] + not is_exempt(container) + has_disallowed_capabilities(container) + msg := sprintf("ephemeral container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")]) + } + + violation[{"msg": msg}] { + not is_update(input.review) + container := input.review.object.spec.ephemeralContainers[_] + not is_exempt(container) + missing_drop_capabilities(container) + msg := sprintf("ephemeral container <%v> is not dropping all required capabilities. Container must drop all of %v or \"ALL\"", [container.name, input.parameters.requiredDropCapabilities]) + } + + + has_disallowed_capabilities(container) { + allowed := {c | c := lower(input.parameters.allowedCapabilities[_])} + not allowed["*"] + capabilities := {c | c := lower(container.securityContext.capabilities.add[_])} + + count(capabilities - allowed) > 0 + } + + missing_drop_capabilities(container) { + must_drop := {c | c := lower(input.parameters.requiredDropCapabilities[_])} + all := {"all"} + dropped := {c | c := lower(container.securityContext.capabilities.drop[_])} + + count(must_drop - dropped) > 0 + count(all - dropped) > 0 + } + + get_default(obj, param, _default) = out { + out = obj[param] + } + + get_default(obj, param, _default) = out { + not obj[param] + not obj[param] == false + out = _default + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..733b22e88 --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspflexvolumes +displayName: FlexVolumes +createdAt: "2023-05-23T09:47:31Z" +description: Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers +digest: 72545f834896499ee61b0918b4735e25bc851df1b16a8adcf35b0ca250ca79de +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/flexvolume-drivers +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # FlexVolumes + Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/constraint.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/constraint.yaml new file mode 100644 index 000000000..8fc65f2de --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/constraint.yaml @@ -0,0 +1,13 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPFlexVolumes +metadata: + name: psp-flexvolume-drivers +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + allowedFlexVolumes: #[] + - driver: "example/lvm" + - driver: "example/cifs" diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_allowed.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_allowed.yaml new file mode 100644 index 000000000..22b2e949c --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_allowed.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-flexvolume-driver-allowed + labels: + app: nginx-flexvolume-driver +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /test + name: test-volume + readOnly: true + volumes: + - name: test-volume + flexVolume: + driver: "example/lvm" diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_disallowed.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_disallowed.yaml new file mode 100644 index 000000000..9a8f27d67 --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_disallowed.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-flexvolume-driver-disallowed + labels: + app: nginx-flexvolume-driver +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /test + name: test-volume + readOnly: true + volumes: + - name: test-volume + flexVolume: + driver: "example/testdriver" #"example/lvm" diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/update.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/update.yaml new file mode 100644 index 000000000..9358c6c5c --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/update.yaml @@ -0,0 +1,23 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-flexvolume-driver-disallowed + labels: + app: nginx-flexvolume-driver + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /test + name: test-volume + readOnly: true + volumes: + - name: test-volume + flexVolume: + driver: "example/testdriver" #"example/lvm" diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml new file mode 100644 index 000000000..fe69966bd --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: flexvolume-drivers +tests: + - name: flexvolume-drivers + template: template.yaml + constraint: samples/psp-flexvolume-drivers/constraint.yaml + cases: + - name: example-allowed + object: samples/psp-flexvolume-drivers/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/psp-flexvolume-drivers/example_disallowed.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-flexvolume-drivers/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml new file mode 100644 index 000000000..c059681c9 --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml @@ -0,0 +1,72 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspflexvolumes + annotations: + metadata.gatekeeper.sh/title: "FlexVolumes" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls the allowlist of FlexVolume drivers. Corresponds to the + `allowedFlexVolumes` field in PodSecurityPolicy. For more information, + see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers +spec: + crd: + spec: + names: + kind: K8sPSPFlexVolumes + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls the allowlist of FlexVolume drivers. Corresponds to the + `allowedFlexVolumes` field in PodSecurityPolicy. For more information, + see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers + properties: + allowedFlexVolumes: + type: array + description: "An array of AllowedFlexVolume objects." + items: + type: object + properties: + driver: + description: "The name of the FlexVolume driver." + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspflexvolumes + + import data.lib.exclude_update.is_update + + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + + volume := input_flexvolumes[_] + not input_flexvolumes_allowed(volume) + msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes]) + } + + input_flexvolumes_allowed(volume) { + input.parameters.allowedFlexVolumes[_].driver == volume.flexVolume.driver + } + + input_flexvolumes[v] { + v := input.review.object.spec.volumes[_] + has_field(v, "flexVolume") + } + + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/README.md b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/README.md new file mode 100644 index 000000000..d8a40937d --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/README.md @@ -0,0 +1,36 @@ +# Forbidden Sysctls security context policy + +The forbidden sysctls constraint allows one to limit the set of kernel parameters that can be modified by pods. This is accomplished by specifying a combination of allowed and forbidden sysctls using either of two parameters: `allowedSysctls` and `forbiddenSysctls`. + +## Parameters + +`allowedSysctls`: A list of explicitly allowed sysctls. Any sysctl not in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter. + +`forbiddenSysctls`: A list of explicitly denied sysctls. Any sysctl in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter. + +## Examples + +```yaml +parameters: + allowedSysctls: ['*'] + forbiddenSysctls: + - kernel.msg* + - net.core.somaxconn +``` + +```yaml +parameters: + allowedSysctls: + - kernel.shm_rmid_forced + - net.ipv4.ip_local_port_range + - net.ipv4.tcp_syncookies + - net.ipv4.ping_group_range + forbiddenSysctls: [] +``` + +*Note*: `forbiddenSysctls` takes precedence, such that an explicitly forbidden sysctl is still forbidden even if it appears in `allowedSysctls` as well. However in practice, such overlap between the rules should be avoided. + +## References + +* [Using sysctls in a Kubernetes Cluster](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) +* [Kubernetes API Reference - Sysctl](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#sysctl-v1-core) \ No newline at end of file diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml new file mode 100644 index 000000000..48ba046fb --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.1.2 +name: k8spspforbiddensysctls +displayName: Forbidden Sysctls +createdAt: "2023-05-23T09:47:31Z" +description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +digest: b9b00a75d075d84d4b23066545063969a9dac86717eb62ee5da1861e720f5df2 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Forbidden Sysctls + Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/kustomization.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/constraint.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/constraint.yaml new file mode 100644 index 000000000..39abf4b23 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPForbiddenSysctls +metadata: + name: psp-forbidden-sysctls +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + forbiddenSysctls: + # - "*" # * may be used to forbid all sysctls + - kernel.* + allowedSysctls: + - "*" # allows all sysctls. allowedSysctls is optional. diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_allowed.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_allowed.yaml new file mode 100644 index 000000000..4b6cc4b66 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_allowed.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls +spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: net.core.somaxconn + value: "1024" diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_disallowed.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_disallowed.yaml new file mode 100644 index 000000000..34ab8f344 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_disallowed.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls +spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: kernel.msgmax + value: "65536" + - name: net.core.somaxconn + value: "1024" diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/update.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/update.yaml new file mode 100644 index 000000000..e4e732be9 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/update.yaml @@ -0,0 +1,21 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls + spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: kernel.msgmax + value: "65536" + - name: net.core.somaxconn + value: "1024" diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml new file mode 100644 index 000000000..d00f85b8b --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: forbidden-sysctls +tests: + - name: forbidden-sysctls + template: template.yaml + constraint: samples/psp-forbidden-sysctls/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-forbidden-sysctls/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-forbidden-sysctls/example_allowed.yaml + assertions: + - violations: no + - name: update + object: samples/psp-forbidden-sysctls/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml new file mode 100644 index 000000000..3d3c1d9a0 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml @@ -0,0 +1,100 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspforbiddensysctls + annotations: + metadata.gatekeeper.sh/title: "Forbidden Sysctls" + metadata.gatekeeper.sh/version: 1.1.2 + description: >- + Controls the `sysctl` profile used by containers. Corresponds to the + `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. + When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. + The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. + For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +spec: + crd: + spec: + names: + kind: K8sPSPForbiddenSysctls + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls the `sysctl` profile used by containers. Corresponds to the + `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. + When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. + The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. + For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ + properties: + allowedSysctls: + type: array + description: "An allow-list of sysctls. `*` allows all sysctls not listed in the `forbiddenSysctls` parameter." + items: + type: string + forbiddenSysctls: + type: array + description: "A disallow-list of sysctls. `*` forbids all sysctls." + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspforbiddensysctls + + import data.lib.exclude_update.is_update + + # Block if forbidden + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.sysctls field is immutable. + not is_update(input.review) + + sysctl := input.review.object.spec.securityContext.sysctls[_].name + forbidden_sysctl(sysctl) + msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) + } + + # Block if not explicitly allowed + violation[{"msg": msg, "details": {}}] { + not is_update(input.review) + sysctl := input.review.object.spec.securityContext.sysctls[_].name + not allowed_sysctl(sysctl) + msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) + } + + # * may be used to forbid all sysctls + forbidden_sysctl(sysctl) { + input.parameters.forbiddenSysctls[_] == "*" + } + + forbidden_sysctl(sysctl) { + input.parameters.forbiddenSysctls[_] == sysctl + } + + forbidden_sysctl(sysctl) { + forbidden := input.parameters.forbiddenSysctls[_] + endswith(forbidden, "*") + startswith(sysctl, trim_suffix(forbidden, "*")) + } + + # * may be used to allow all sysctls + allowed_sysctl(sysctl) { + input.parameters.allowedSysctls[_] == "*" + } + + allowed_sysctl(sysctl) { + input.parameters.allowedSysctls[_] == sysctl + } + + allowed_sysctl(sysctl) { + allowed := input.parameters.allowedSysctls[_] + endswith(allowed, "*") + startswith(sysctl, trim_suffix(allowed, "*")) + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/README.md b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/README.md new file mode 100644 index 000000000..b70d94d45 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/README.md @@ -0,0 +1,7 @@ +# Deprecated + +**This Policy is deprecated** + +Please use the FSGroup settings on the users policy to enforce FSGroup Settings. + +[Users Policy](../users) diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..818551a97 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspfsgroup +displayName: FS Group +createdAt: "2023-05-23T09:47:31Z" +description: Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +digest: 18d489cff65194e1ee7963197d4384cbd6b3141e3babfa66aff59b5062e32d35 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/fsgroup +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # FS Group + Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/constraint.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/constraint.yaml new file mode 100644 index 000000000..4eb14fe3c --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/constraint.yaml @@ -0,0 +1,14 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPFSGroup +metadata: + name: psp-fsgroup +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny" + ranges: + - min: 1 + max: 1000 diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_allowed.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_allowed.yaml new file mode 100644 index 000000000..17d3274c3 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_allowed.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: fsgroup-disallowed +spec: + securityContext: + fsGroup: 500 # directory will have group ID 500 + volumes: + - name: fsgroup-demo-vol + emptyDir: {} + containers: + - name: fsgroup-demo + image: busybox + command: ["sh", "-c", "sleep 1h"] + volumeMounts: + - name: fsgroup-demo-vol + mountPath: /data/demo diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_disallowed.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_disallowed.yaml new file mode 100644 index 000000000..9caf7c0a3 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_disallowed.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: fsgroup-disallowed +spec: + securityContext: + fsGroup: 2000 # directory will have group ID 2000 + volumes: + - name: fsgroup-demo-vol + emptyDir: {} + containers: + - name: fsgroup-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: fsgroup-demo-vol + mountPath: /data/demo diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/update.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/update.yaml new file mode 100644 index 000000000..c0de7258a --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/update.yaml @@ -0,0 +1,22 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: fsgroup-disallowed + spec: + securityContext: + fsGroup: 2000 # directory will have group ID 2000 + volumes: + - name: fsgroup-demo-vol + emptyDir: {} + containers: + - name: fsgroup-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: fsgroup-demo-vol + mountPath: /data/demo diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml new file mode 100644 index 000000000..cb102e785 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: fsgroup +tests: + - name: fsgroup + template: template.yaml + constraint: samples/psp-fsgroup/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-fsgroup/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-fsgroup/example_allowed.yaml + assertions: + - violations: no + - name: update + object: samples/psp-fsgroup/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml new file mode 100644 index 000000000..d3f56af81 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml @@ -0,0 +1,105 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspfsgroup + annotations: + metadata.gatekeeper.sh/title: "FS Group" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls allocating an FSGroup that owns the Pod's volumes. Corresponds + to the `fsGroup` field in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +spec: + crd: + spec: + names: + kind: K8sPSPFSGroup + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls allocating an FSGroup that owns the Pod's volumes. Corresponds + to the `fsGroup` field in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + properties: + rule: + description: "An FSGroup rule name." + enum: + - MayRunAs + - MustRunAs + - RunAsAny + type: string + ranges: + type: array + description: "GID ranges affected by the rule." + items: + type: object + properties: + min: + description: "The minimum GID in the range, inclusive." + type: integer + max: + description: "The maximum GID in the range, inclusive." + type: integer + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspfsgroup + + import data.lib.exclude_update.is_update + + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.fsGroup field is immutable. + not is_update(input.review) + + spec := input.review.object.spec + not input_fsGroup_allowed(spec) + msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) + } + + input_fsGroup_allowed(spec) { + # RunAsAny - No range is required. Allows any fsGroup ID to be specified. + input.parameters.rule == "RunAsAny" + } + input_fsGroup_allowed(spec) { + # MustRunAs - Validates pod spec fsgroup against all ranges + input.parameters.rule == "MustRunAs" + fg := spec.securityContext.fsGroup + count(input.parameters.ranges) > 0 + range := input.parameters.ranges[_] + value_within_range(range, fg) + } + input_fsGroup_allowed(spec) { + # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset + input.parameters.rule == "MayRunAs" + not has_field(spec, "securityContext") + } + input_fsGroup_allowed(spec) { + # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset + input.parameters.rule == "MayRunAs" + not spec.securityContext.fsGroup + } + input_fsGroup_allowed(spec) { + # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset + input.parameters.rule == "MayRunAs" + fg := spec.securityContext.fsGroup + count(input.parameters.ranges) > 0 + range := input.parameters.ranges[_] + value_within_range(range, fg) + } + value_within_range(range, value) { + range.min <= value + range.max >= value + } + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..d417458bf --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spsphostfilesystem +displayName: Host Filesystem +createdAt: "2023-05-23T09:47:31Z" +description: Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +digest: 6ced943cc854322891d2b3021c586562c360c1e02f20bf52ca3032fb4a3da7fd +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-filesystem +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Host Filesystem + Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/constraint.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/constraint.yaml new file mode 100644 index 000000000..7cbd7b824 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/constraint.yaml @@ -0,0 +1,13 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostFilesystem +metadata: + name: psp-host-filesystem +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + allowedHostPaths: + - readOnly: true + pathPrefix: "/foo" diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/disallowed_ephemeral.yaml new file mode 100644 index 000000000..beece55c0 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/disallowed_ephemeral.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed +spec: + ephemeralContainers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_allowed.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_allowed.yaml new file mode 100644 index 000000000..abc60d882 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_allowed.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /foo/bar diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_disallowed.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_disallowed.yaml new file mode 100644 index 000000000..53107694f --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_disallowed.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/update.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/update.yaml new file mode 100644 index 000000000..68b28a536 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/update.yaml @@ -0,0 +1,23 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml new file mode 100644 index 000000000..5441df8cc --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml @@ -0,0 +1,25 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: host-filesystem +tests: + - name: host-filesystem + template: template.yaml + constraint: samples/psp-host-filesystem/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-host-filesystem/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-host-filesystem/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-host-filesystem/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-host-filesystem/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml new file mode 100644 index 000000000..2ef796fd4 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml @@ -0,0 +1,148 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spsphostfilesystem + annotations: + metadata.gatekeeper.sh/title: "Host Filesystem" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls usage of the host filesystem. Corresponds to the + `allowedHostPaths` field in a PodSecurityPolicy. For more information, + see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +spec: + crd: + spec: + names: + kind: K8sPSPHostFilesystem + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls usage of the host filesystem. Corresponds to the + `allowedHostPaths` field in a PodSecurityPolicy. For more information, + see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + properties: + allowedHostPaths: + type: array + description: "An array of hostpath objects, representing paths and read/write configuration." + items: + type: object + properties: + pathPrefix: + type: string + description: "The path prefix that the host volume must match." + readOnly: + type: boolean + description: "when set to true, any container volumeMounts matching the pathPrefix must include `readOnly: true`." + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spsphostfilesystem + + import data.lib.exclude_update.is_update + + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + + volume := input_hostpath_volumes[_] + allowedPaths := get_allowed_paths(input) + input_hostpath_violation(allowedPaths, volume) + msg := sprintf("HostPath volume %v is not allowed, pod: %v. Allowed path: %v", [volume, input.review.object.metadata.name, allowedPaths]) + } + + input_hostpath_violation(allowedPaths, volume) { + # An empty list means all host paths are blocked + allowedPaths == [] + } + input_hostpath_violation(allowedPaths, volume) { + not input_hostpath_allowed(allowedPaths, volume) + } + + get_allowed_paths(arg) = out { + not arg.parameters + out = [] + } + get_allowed_paths(arg) = out { + not arg.parameters.allowedHostPaths + out = [] + } + get_allowed_paths(arg) = out { + out = arg.parameters.allowedHostPaths + } + + input_hostpath_allowed(allowedPaths, volume) { + allowedHostPath := allowedPaths[_] + path_matches(allowedHostPath.pathPrefix, volume.hostPath.path) + not allowedHostPath.readOnly == true + } + + input_hostpath_allowed(allowedPaths, volume) { + allowedHostPath := allowedPaths[_] + path_matches(allowedHostPath.pathPrefix, volume.hostPath.path) + allowedHostPath.readOnly + not writeable_input_volume_mounts(volume.name) + } + + writeable_input_volume_mounts(volume_name) { + container := input_containers[_] + mount := container.volumeMounts[_] + mount.name == volume_name + not mount.readOnly + } + + # This allows "/foo", "/foo/", "/foo/bar" etc., but + # disallows "/fool", "/etc/foo" etc. + path_matches(prefix, path) { + a := path_array(prefix) + b := path_array(path) + prefix_matches(a, b) + } + path_array(p) = out { + p != "/" + out := split(trim(p, "/"), "/") + } + # This handles the special case for "/", since + # split(trim("/", "/"), "/") == [""] + path_array("/") = [] + + prefix_matches(a, b) { + count(a) <= count(b) + not any_not_equal_upto(a, b, count(a)) + } + + any_not_equal_upto(a, b, n) { + a[i] != b[i] + i < n + } + + input_hostpath_volumes[v] { + v := input.review.object.spec.volumes[_] + has_field(v, "hostPath") + } + + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + input_containers[c] { + c := input.review.object.spec.containers[_] + } + + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..2f68f69dc --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spsphostnamespace +displayName: Host Namespace +createdAt: "2023-05-23T09:47:31Z" +description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +digest: a0e3fc6ed087233e70ae10bdc2a3ee550226207bf2bf7fb4567833710d39bed0 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-namespaces +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Host Namespace + Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/constraint.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/constraint.yaml new file mode 100644 index 000000000..5b3ebba3a --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/constraint.yaml @@ -0,0 +1,9 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostNamespace +metadata: + name: psp-host-namespace +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_allowed.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_allowed.yaml new file mode 100644 index 000000000..f765f5b4d --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-namespace-allowed + labels: + app: nginx-host-namespace +spec: + hostPID: false + hostIPC: false + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_disallowed.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_disallowed.yaml new file mode 100644 index 000000000..b979e8134 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-namespace-disallowed + labels: + app: nginx-host-namespace +spec: + hostPID: true + hostIPC: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/update.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/update.yaml new file mode 100644 index 000000000..29e17f13a --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-namespace-disallowed + labels: + app: nginx-host-namespace + spec: + hostPID: true + hostIPC: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml new file mode 100644 index 000000000..b8e853d5f --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: host-namespaces +tests: + - name: host-namespace + template: template.yaml + constraint: samples/psp-host-namespace/constraint.yaml + cases: + - name: example-allowed + object: samples/psp-host-namespace/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/psp-host-namespace/example_disallowed.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-host-namespace/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml new file mode 100644 index 000000000..a8b87e419 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml @@ -0,0 +1,54 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spsphostnamespace + annotations: + metadata.gatekeeper.sh/title: "Host Namespace" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Disallows sharing of host PID and IPC namespaces by pod containers. + Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. + For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +spec: + crd: + spec: + names: + kind: K8sPSPHostNamespace + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Disallows sharing of host PID and IPC namespaces by pod containers. + Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. + For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spsphostnamespace + + import data.lib.exclude_update.is_update + + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update(input.review) + + input_share_hostnamespace(input.review.object) + msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) + } + + input_share_hostnamespace(o) { + o.spec.hostPID + } + input_share_hostnamespace(o) { + o.spec.hostIPC + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..3fe73120d --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spsphostnetworkingports +displayName: Host Networking Ports +createdAt: "2023-05-23T09:47:31Z" +description: Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +digest: 00d1eec4552138ea7eb40a5f24cd8d5ec3b3da5bc7121928d1f66dc899064d86 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-network-ports +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Host Networking Ports + Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/constraint.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/constraint.yaml new file mode 100644 index 000000000..fcbc5d805 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/constraint.yaml @@ -0,0 +1,13 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostNetworkingPorts +metadata: + name: psp-host-network-ports +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + hostNetwork: true + min: 80 + max: 9000 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/disallowed_ephemeral.yaml new file mode 100644 index 000000000..7a4fa3114 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/disallowed_ephemeral.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + ephemeralContainers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_allowed.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_allowed.yaml new file mode 100644 index 000000000..08b321fe5 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_allowed.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-allowed + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: false + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9000 + hostPort: 80 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_disallowed.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_disallowed.yaml new file mode 100644 index 000000000..9a496cd60 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_disallowed.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/update.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/update.yaml new file mode 100644 index 000000000..231096430 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/update.yaml @@ -0,0 +1,19 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports + spec: + hostNetwork: true + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml new file mode 100644 index 000000000..710df69eb --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml @@ -0,0 +1,25 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: host-network-ports +tests: +- name: use-of-host-networking-ports-blocked + template: template.yaml + constraint: samples/psp-host-network-ports/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-host-network-ports/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-host-network-ports/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-host-network-ports/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-host-network-ports/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml new file mode 100644 index 000000000..31a9d9e56 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml @@ -0,0 +1,118 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spsphostnetworkingports + annotations: + metadata.gatekeeper.sh/title: "Host Networking Ports" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls usage of host network namespace by pod containers. Specific + ports must be specified. Corresponds to the `hostNetwork` and + `hostPorts` fields in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +spec: + crd: + spec: + names: + kind: K8sPSPHostNetworkingPorts + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls usage of host network namespace by pod containers. Specific + ports must be specified. Corresponds to the `hostNetwork` and + `hostPorts` fields in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + hostNetwork: + description: "Determines if the policy allows the use of HostNetwork in the pod spec." + type: boolean + min: + description: "The start of the allowed port range, inclusive." + type: integer + max: + description: "The end of the allowed port range, inclusive." + type: integer + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spsphostnetworkingports + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.hostNetwork field is immutable. + not is_update(input.review) + + input_share_hostnetwork(input.review.object) + msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) + } + + input_share_hostnetwork(o) { + not input.parameters.hostNetwork + o.spec.hostNetwork + } + + input_share_hostnetwork(o) { + hostPort := input_containers[_].ports[_].hostPort + hostPort < input.parameters.min + } + + input_share_hostnetwork(o) { + hostPort := input_containers[_].ports[_].hostPort + hostPort > input.parameters.max + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + not is_exempt(c) + } + + input_containers[c] { + c := input.review.object.spec.initContainers[_] + not is_exempt(c) + } + + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + not is_exempt(c) + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..12b37abb7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspprivilegedcontainer +displayName: Privileged Container +createdAt: "2023-05-23T09:47:31Z" +description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged +digest: c8e6071091c7442d217106f83cc8b63cfe3bf48f49196435c5f974ec5cc094d5 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/privileged-containers +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Privileged Container + Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/constraint.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/constraint.yaml new file mode 100644 index 000000000..b246b244a --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/constraint.yaml @@ -0,0 +1,10 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPPrivilegedContainer +metadata: + name: psp-privileged-container +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + excludedNamespaces: ["kube-system"] diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/disallowed_ephemeral.yaml new file mode 100644 index 000000000..e8c8b9945 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/disallowed_ephemeral.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_allowed.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_allowed.yaml new file mode 100644 index 000000000..bb65a2c0e --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-allowed + labels: + app: nginx-privileged +spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: false diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_disallowed.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_disallowed.yaml new file mode 100644 index 000000000..936a24f8e --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged +spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/update.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/update.yaml new file mode 100644 index 000000000..08f36044c --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged + spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml new file mode 100644 index 000000000..c2e484fc5 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml @@ -0,0 +1,25 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: privileged-containers +tests: +- name: privileged-containers-disallowed + template: template.yaml + constraint: samples/psp-privileged-container/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-privileged-container/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-privileged-container/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-privileged-container/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-privileged-container/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml new file mode 100644 index 000000000..c552c193d --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml @@ -0,0 +1,92 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspprivilegedcontainer + annotations: + metadata.gatekeeper.sh/title: "Privileged Container" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls the ability of any container to enable privileged mode. + Corresponds to the `privileged` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged +spec: + crd: + spec: + names: + kind: K8sPSPPrivilegedContainer + validation: + openAPIV3Schema: + type: object + description: >- + Controls the ability of any container to enable privileged mode. + Corresponds to the `privileged` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspprivileged + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.containers.privileged field is immutable. + not is_update(input.review) + + c := input_containers[_] + not is_exempt(c) + c.securityContext.privileged + msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext]) + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + } + + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/README.md b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/README.md new file mode 100644 index 000000000..9e45b7207 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/README.md @@ -0,0 +1,12 @@ +# ProcMount security context policy + +`procMount` denotes the type of proc mount to use for the containers. The default is `DefaultProcMount` which uses the container runtime defaults for readonly paths and masked paths. + +Types of proc mount are: + +- `DefaultProcMount` uses the container runtime default ProcType. Most container runtimes mask certain paths in /proc to avoid accidental security exposure of special devices or information. + +- `UnmaskedProcMount` bypasses the default masking behavior of the container runtime and ensures the newly created /proc the container stays in tact with no modifications. + +This requires the `ProcMountType` feature flag to be enabled. Set `--feature-gates=ProcMountType=true` in Kubernetes API Server to be able to use `Unmasked` procMount type (requires v1.12 and above). For more information, see +https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options and https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/. diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml new file mode 100644 index 000000000..61b7bb380 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.2 +name: k8spspprocmount +displayName: Proc Mount +createdAt: "2023-05-23T09:47:31Z" +description: Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes +digest: 9a792a8c5d3a0559d877b673315598390a44d602fc2dcbe7c4f69f734dd94c97 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/proc-mount +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Proc Mount + Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/kustomization.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/constraint.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/constraint.yaml new file mode 100644 index 000000000..1d7434ac0 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/constraint.yaml @@ -0,0 +1,11 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPProcMount +metadata: + name: psp-proc-mount +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + procMount: Default diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/disallowed_ephemeral.yaml new file mode 100644 index 000000000..4be38f45d --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/disallowed_ephemeral.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + procMount: Unmasked #Default diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_allowed.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_allowed.yaml new file mode 100644 index 000000000..c9b13ac71 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount +spec: + containers: + - name: nginx + image: nginx + securityContext: + procMount: Default diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_disallowed.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_disallowed.yaml new file mode 100644 index 000000000..403c7cb2a --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount +spec: + containers: + - name: nginx + image: nginx + securityContext: + procMount: Unmasked #Default diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/update.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/update.yaml new file mode 100644 index 000000000..dc21b1142 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount + spec: + containers: + - name: nginx + image: nginx + securityContext: + procMount: Unmasked #Default diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml new file mode 100644 index 000000000..501493e14 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml @@ -0,0 +1,25 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: proc-mount +tests: +- name: default-proc-mount-required + template: template.yaml + constraint: samples/psp-proc-mount/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-proc-mount/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-proc-mount/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-proc-mount/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-proc-mount/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml new file mode 100644 index 000000000..bbf2244da --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml @@ -0,0 +1,138 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspprocmount + annotations: + metadata.gatekeeper.sh/title: "Proc Mount" + metadata.gatekeeper.sh/version: 1.0.2 + description: >- + Controls the allowed `procMount` types for the container. Corresponds to + the `allowedProcMountTypes` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes +spec: + crd: + spec: + names: + kind: K8sPSPProcMount + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls the allowed `procMount` types for the container. Corresponds to + the `allowedProcMountTypes` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + procMount: + type: string + description: >- + Defines the strategy for the security exposure of certain paths + in `/proc` by the container runtime. Setting to `Default` uses + the runtime defaults, where `Unmasked` bypasses the default + behavior. + enum: + - Default + - Unmasked + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspprocmount + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.procMount field is immutable. + not is_update(input.review) + + c := input_containers[_] + not is_exempt(c) + allowedProcMount := get_allowed_proc_mount(input) + not input_proc_mount_type_allowed(allowedProcMount, c) + msg := sprintf("ProcMount type is not allowed, container: %v. Allowed procMount types: %v", [c.name, allowedProcMount]) + } + + input_proc_mount_type_allowed(allowedProcMount, c) { + allowedProcMount == "default" + lower(c.securityContext.procMount) == "default" + } + input_proc_mount_type_allowed(allowedProcMount, c) { + allowedProcMount == "unmasked" + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + c.securityContext.procMount + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + c.securityContext.procMount + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + c.securityContext.procMount + } + + get_allowed_proc_mount(arg) = out { + not arg.parameters + out = "default" + } + get_allowed_proc_mount(arg) = out { + not arg.parameters.procMount + out = "default" + } + get_allowed_proc_mount(arg) = out { + arg.parameters.procMount + not valid_proc_mount(arg.parameters.procMount) + out = "default" + } + get_allowed_proc_mount(arg) = out { + valid_proc_mount(arg.parameters.procMount) + out = lower(arg.parameters.procMount) + } + + valid_proc_mount(str) { + lower(str) == "default" + } + valid_proc_mount(str) { + lower(str) == "unmasked" + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..76a2fbd74 --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspreadonlyrootfilesystem +displayName: Read Only Root Filesystem +createdAt: "2023-05-23T09:47:31Z" +description: Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +digest: b2b009150e5eb99c2746d79e0de085d11b2bddb1c5e0613bdefcc6d27d8a221d +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/read-only-root-filesystem +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Read Only Root Filesystem + Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/constraint.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/constraint.yaml new file mode 100644 index 000000000..66d6bdabe --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/constraint.yaml @@ -0,0 +1,9 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPReadOnlyRootFilesystem +metadata: + name: psp-readonlyrootfilesystem +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml new file mode 100644 index 000000000..d0ce2c4dc --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml new file mode 100644 index 000000000..9c96bd18c --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-allowed + labels: + app: nginx-readonlyrootfilesystem +spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: true diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml new file mode 100644 index 000000000..7571bfd9f --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem +spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/update.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/update.yaml new file mode 100644 index 000000000..b31ae5e3a --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem + spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml new file mode 100644 index 000000000..db736886f --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml @@ -0,0 +1,25 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: read-only-root-filesystem +tests: +- name: require-read-only-root-filesystem + template: template.yaml + constraint: samples/psp-readonlyrootfilesystem/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-readonlyrootfilesystem/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-readonlyrootfilesystem/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-readonlyrootfilesystem/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml new file mode 100644 index 000000000..bca12eeae --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml @@ -0,0 +1,103 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspreadonlyrootfilesystem + annotations: + metadata.gatekeeper.sh/title: "Read Only Root Filesystem" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Requires the use of a read-only root file system by pod containers. + Corresponds to the `readOnlyRootFilesystem` field in a + PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +spec: + crd: + spec: + names: + kind: K8sPSPReadOnlyRootFilesystem + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Requires the use of a read-only root file system by pod containers. + Corresponds to the `readOnlyRootFilesystem` field in a + PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspreadonlyrootfilesystem + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.containers.readOnlyRootFilesystem field is immutable. + not is_update(input.review) + + c := input_containers[_] + not is_exempt(c) + input_read_only_root_fs(c) + msg := sprintf("only read-only root filesystem container is allowed: %v", [c.name]) + } + + input_read_only_root_fs(c) { + not has_field(c, "securityContext") + } + input_read_only_root_fs(c) { + not c.securityContext.readOnlyRootFilesystem == true + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..b41f55e84 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspselinuxv2 +displayName: SELinux V2 +createdAt: "2023-05-23T09:47:32Z" +description: Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux +digest: 4b123118ccfaccae4f0f895db926a46e41414e58cd779179a0767c6ab216055d +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/selinux +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # SELinux V2 + Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/constraint.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/constraint.yaml new file mode 100644 index 000000000..f88bbcd69 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPSELinuxV2 +metadata: + name: psp-selinux-v2 +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + allowedSELinuxOptions: + - level: s0:c123,c456 + role: object_r + type: svirt_sandbox_file_t + user: system_u diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/disallowed_ephemeral.yaml new file mode 100644 index 000000000..3a35fc737 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/disallowed_ephemeral.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-selinux-disallowed + labels: + app: nginx-selinux +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s1:c234,c567 + user: sysadm_u + role: sysadm_r + type: svirt_lxc_net_t diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_allowed.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_allowed.yaml new file mode 100644 index 000000000..4eaf2dc92 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_allowed.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-selinux-allowed + labels: + app: nginx-selinux +spec: + containers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s0:c123,c456 + role: object_r + type: svirt_sandbox_file_t + user: system_u diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_disallowed.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_disallowed.yaml new file mode 100644 index 000000000..7eb7fee11 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_disallowed.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-selinux-disallowed + labels: + app: nginx-selinux +spec: + containers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s1:c234,c567 + user: sysadm_u + role: sysadm_r + type: svirt_lxc_net_t diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/update.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/update.yaml new file mode 100644 index 000000000..581419e9d --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/update.yaml @@ -0,0 +1,21 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-selinux-disallowed + labels: + app: nginx-selinux + spec: + containers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s1:c234,c567 + user: sysadm_u + role: sysadm_r + type: svirt_lxc_net_t diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml new file mode 100644 index 000000000..1bbaf360e --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml @@ -0,0 +1,25 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: selinux +tests: +- name: require-matching-selinux-options + template: template.yaml + constraint: samples/psp-selinux-v2/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-selinux-v2/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-selinux-v2/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-selinux-v2/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-selinux-v2/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml new file mode 100644 index 000000000..61729eceb --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml @@ -0,0 +1,144 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspselinuxv2 + annotations: + metadata.gatekeeper.sh/title: "SELinux V2" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Defines an allow-list of seLinuxOptions configurations for pod + containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. + For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux +spec: + crd: + spec: + names: + kind: K8sPSPSELinuxV2 + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Defines an allow-list of seLinuxOptions configurations for pod + containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. + For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + allowedSELinuxOptions: + type: array + description: "An allow-list of SELinux options configurations." + items: + type: object + description: "An allowed configuration of SELinux options for a pod container." + properties: + level: + type: string + description: "An SELinux level." + role: + type: string + description: "An SELinux role." + type: + type: string + description: "An SELinux type." + user: + type: string + description: "An SELinux user." + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspselinux + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + # Disallow top level custom SELinux options + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.seLinuxOptions field is immutable. + not is_update(input.review) + + has_field(input.review.object.spec.securityContext, "seLinuxOptions") + not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) + msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions]) + } + # Disallow container level custom SELinux options + violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.seLinuxOptions field is immutable. + not is_update(input.review) + + c := input_security_context[_] + not is_exempt(c) + has_field(c.securityContext, "seLinuxOptions") + not input_seLinuxOptions_allowed(c.securityContext.seLinuxOptions) + msg := sprintf("SELinux options is not allowed, pod: %v, container %v. Allowed options: %v", [input.review.object.metadata.name, c.name, input.parameters.allowedSELinuxOptions]) + } + + input_seLinuxOptions_allowed(options) { + params := input.parameters.allowedSELinuxOptions[_] + field_allowed("level", options, params) + field_allowed("role", options, params) + field_allowed("type", options, params) + field_allowed("user", options, params) + } + + field_allowed(field, options, params) { + params[field] == options[field] + } + field_allowed(field, options, params) { + not has_field(options, field) + } + + input_security_context[c] { + c := input.review.object.spec.containers[_] + has_field(c.securityContext, "seLinuxOptions") + } + input_security_context[c] { + c := input.review.object.spec.initContainers[_] + has_field(c.securityContext, "seLinuxOptions") + } + input_security_context[c] { + c := input.review.object.spec.ephemeralContainers[_] + has_field(c.securityContext, "seLinuxOptions") + } + + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..338f2ee94 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspallowedusers +displayName: Allowed Users +createdAt: "2023-05-23T09:47:32Z" +description: Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups +digest: 4145c820284a655c6dfded52eb983df65e0eb5f76c4086e4edf03cbe6da2caf2 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/users +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Allowed Users + Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/constraint.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/constraint.yaml new file mode 100644 index 000000000..e69974578 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/constraint.yaml @@ -0,0 +1,30 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPAllowedUsers +metadata: + name: psp-pods-allowed-user-ranges +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + runAsUser: + rule: MustRunAs # MustRunAsNonRoot # RunAsAny + ranges: + - min: 100 + max: 200 + runAsGroup: + rule: MustRunAs # MayRunAs # RunAsAny + ranges: + - min: 100 + max: 200 + supplementalGroups: + rule: MustRunAs # MayRunAs # RunAsAny + ranges: + - min: 100 + max: 200 + fsGroup: + rule: MustRunAs # MayRunAs # RunAsAny + ranges: + - min: 100 + max: 200 diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml new file mode 100644 index 000000000..6297f0dfd --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-users-disallowed + labels: + app: nginx-users +spec: + securityContext: + supplementalGroups: + - 250 + fsGroup: 250 + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + runAsUser: 250 + runAsGroup: 250 diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_allowed.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_allowed.yaml new file mode 100644 index 000000000..79899ed98 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_allowed.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-users-allowed + labels: + app: nginx-users +spec: + securityContext: + supplementalGroups: + - 199 + fsGroup: 199 + containers: + - name: nginx + image: nginx + securityContext: + runAsUser: 199 + runAsGroup: 199 diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_disallowed.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_disallowed.yaml new file mode 100644 index 000000000..516cce14b --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_disallowed.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-users-disallowed + labels: + app: nginx-users +spec: + securityContext: + supplementalGroups: + - 250 + fsGroup: 250 + containers: + - name: nginx + image: nginx + securityContext: + runAsUser: 250 + runAsGroup: 250 diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/update.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/update.yaml new file mode 100644 index 000000000..6f4d3ed72 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/update.yaml @@ -0,0 +1,22 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-users-disallowed + labels: + app: nginx-users + spec: + securityContext: + supplementalGroups: + - 250 + fsGroup: 250 + containers: + - name: nginx + image: nginx + securityContext: + runAsUser: 250 + runAsGroup: 250 diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml new file mode 100644 index 000000000..5c6e49640 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml @@ -0,0 +1,25 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: users +tests: +- name: users-and-groups-together + template: template.yaml + constraint: samples/psp-pods-allowed-user-ranges/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-pods-allowed-user-ranges/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-pods-allowed-user-ranges/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml + assertions: + - violations: yes + - name: update + object: samples/psp-pods-allowed-user-ranges/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml new file mode 100644 index 000000000..1e572443e --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml @@ -0,0 +1,292 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspallowedusers + annotations: + metadata.gatekeeper.sh/title: "Allowed Users" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls the user and group IDs of the container and some volumes. + Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and + `fsGroup` fields in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups +spec: + crd: + spec: + names: + kind: K8sPSPAllowedUsers + validation: + openAPIV3Schema: + type: object + description: >- + Controls the user and group IDs of the container and some volumes. + Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and + `fsGroup` fields in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + runAsUser: + type: object + description: "Controls which user ID values are allowed in a Pod or container-level SecurityContext." + properties: + rule: + type: string + description: "A strategy for applying the runAsUser restriction." + enum: + - MustRunAs + - MustRunAsNonRoot + - RunAsAny + ranges: + type: array + description: "A list of user ID ranges affected by the rule." + items: + type: object + description: "The range of user IDs affected by the rule." + properties: + min: + type: integer + description: "The minimum user ID in the range, inclusive." + max: + type: integer + description: "The maximum user ID in the range, inclusive." + runAsGroup: + type: object + description: "Controls which group ID values are allowed in a Pod or container-level SecurityContext." + properties: + rule: + type: string + description: "A strategy for applying the runAsGroup restriction." + enum: + - MustRunAs + - MayRunAs + - RunAsAny + ranges: + type: array + description: "A list of group ID ranges affected by the rule." + items: + type: object + description: "The range of group IDs affected by the rule." + properties: + min: + type: integer + description: "The minimum group ID in the range, inclusive." + max: + type: integer + description: "The maximum group ID in the range, inclusive." + supplementalGroups: + type: object + description: "Controls the supplementalGroups values that are allowed in a Pod or container-level SecurityContext." + properties: + rule: + type: string + description: "A strategy for applying the supplementalGroups restriction." + enum: + - MustRunAs + - MayRunAs + - RunAsAny + ranges: + type: array + description: "A list of group ID ranges affected by the rule." + items: + type: object + description: "The range of group IDs affected by the rule." + properties: + min: + type: integer + description: "The minimum group ID in the range, inclusive." + max: + type: integer + description: "The maximum group ID in the range, inclusive." + fsGroup: + type: object + description: "Controls the fsGroup values that are allowed in a Pod or container-level SecurityContext." + properties: + rule: + type: string + description: "A strategy for applying the fsGroup restriction." + enum: + - MustRunAs + - MayRunAs + - RunAsAny + ranges: + type: array + description: "A list of group ID ranges affected by the rule." + items: + type: object + description: "The range of group IDs affected by the rule." + properties: + min: + type: integer + description: "The minimum group ID in the range, inclusive." + max: + type: integer + description: "The maximum group ID in the range, inclusive." + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspallowedusers + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg}] { + # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. + not is_update(input.review) + + fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] + field := fields[_] + container := input_containers[_] + not is_exempt(container) + msg := get_type_violation(field, container) + } + + get_type_violation(field, container) = msg { + field == "runAsUser" + params := input.parameters[field] + msg := get_user_violation(params, container) + } + + get_type_violation(field, container) = msg { + field != "runAsUser" + params := input.parameters[field] + msg := get_violation(field, params, container) + } + + # RunAsUser (separate due to "MustRunAsNonRoot") + get_user_violation(params, container) = msg { + rule := params.rule + provided_user := get_field_value("runAsUser", container, input.review) + not accept_users(rule, provided_user) + msg := sprintf("Container %v is attempting to run as disallowed user %v. Allowed runAsUser: %v", [container.name, provided_user, params]) + } + + get_user_violation(params, container) = msg { + not get_field_value("runAsUser", container, input.review) + params.rule = "MustRunAs" + msg := sprintf("Container %v is attempting to run without a required securityContext/runAsUser", [container.name]) + } + + get_user_violation(params, container) = msg { + params.rule = "MustRunAsNonRoot" + not get_field_value("runAsUser", container, input.review) + not get_field_value("runAsNonRoot", container, input.review) + msg := sprintf("Container %v is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", [container.name]) + } + + accept_users("RunAsAny", provided_user) {true} + + accept_users("MustRunAsNonRoot", provided_user) = res {res := provided_user != 0} + + accept_users("MustRunAs", provided_user) = res { + ranges := input.parameters.runAsUser.ranges + res := is_in_range(provided_user, ranges) + } + + # Group Options + get_violation(field, params, container) = msg { + rule := params.rule + provided_value := get_field_value(field, container, input.review) + not is_array(provided_value) + not accept_value(rule, provided_value, params.ranges) + msg := sprintf("Container %v is attempting to run as disallowed group %v. Allowed %v: %v", [container.name, provided_value, field, params]) + } + # SupplementalGroups is array value + get_violation(field, params, container) = msg { + rule := params.rule + array_value := get_field_value(field, container, input.review) + is_array(array_value) + provided_value := array_value[_] + not accept_value(rule, provided_value, params.ranges) + msg := sprintf("Container %v is attempting to run with disallowed supplementalGroups %v. Allowed %v: %v", [container.name, array_value, field, params]) + } + + get_violation(field, params, container) = msg { + not get_field_value(field, container, input.review) + params.rule == "MustRunAs" + msg := sprintf("Container %v is attempting to run without a required securityContext/%v. Allowed %v: %v", [container.name, field, field, params]) + } + + accept_value("RunAsAny", provided_value, ranges) {true} + + accept_value("MayRunAs", provided_value, ranges) = res { res := is_in_range(provided_value, ranges)} + + accept_value("MustRunAs", provided_value, ranges) = res { res := is_in_range(provided_value, ranges)} + + + # If container level is provided, that takes precedence + get_field_value(field, container, review) = out { + container_value := get_seccontext_field(field, container) + out := container_value + } + + # If no container level exists, use pod level + get_field_value(field, container, review) = out { + not has_seccontext_field(field, container) + review.kind.kind == "Pod" + pod_value := get_seccontext_field(field, review.object.spec) + out := pod_value + } + + # Helper Functions + is_in_range(val, ranges) = res { + matching := {1 | val >= ranges[j].min; val <= ranges[j].max} + res := count(matching) > 0 + } + + has_seccontext_field(field, obj) { + get_seccontext_field(field, obj) + } + + has_seccontext_field(field, obj) { + get_seccontext_field(field, obj) == false + } + + get_seccontext_field(field, obj) = out { + out = obj.securityContext[field] + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..2630a20fc --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspvolumetypes +displayName: Volume Types +createdAt: "2023-05-23T09:47:32Z" +description: Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +digest: 95c71f8cfca302fcc4a122dc7f824884ea1f58d0f13b321b9f00a7976272764e +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/volumes +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Volume Types + Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/constraint.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/constraint.yaml new file mode 100644 index 000000000..0638df7cb --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/constraint.yaml @@ -0,0 +1,20 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPVolumeTypes +metadata: + name: psp-volume-types +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + volumes: + # - "*" # * may be used to allow all volume types + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim + #- hostPath #required for allowedHostPaths + - flexVolume #required for allowedFlexVolumes diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_allowed.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_allowed.yaml new file mode 100644 index 000000000..df6251e7d --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_allowed.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-volume-types-allowed + labels: + app: nginx-volume-types +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + - name: nginx2 + image: nginx + volumeMounts: + - mountPath: /cache2 + name: demo-vol + volumes: + - name: cache-volume + emptyDir: {} + - name: demo-vol + emptyDir: {} diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_disallowed.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_disallowed.yaml new file mode 100644 index 000000000..562cf59d8 --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_disallowed.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-volume-types-disallowed + labels: + app: nginx-volume-types +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + - name: nginx2 + image: nginx + volumeMounts: + - mountPath: /cache2 + name: demo-vol + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host + - name: demo-vol + emptyDir: {} diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/update.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/update.yaml new file mode 100644 index 000000000..f25f07267 --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/update.yaml @@ -0,0 +1,29 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-volume-types-disallowed + labels: + app: nginx-volume-types + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + - name: nginx2 + image: nginx + volumeMounts: + - mountPath: /cache2 + name: demo-vol + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host + - name: demo-vol + emptyDir: {} diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml new file mode 100644 index 000000000..083aad6eb --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: volumes +tests: +- name: host-path-disallowed + template: template.yaml + constraint: samples/psp-volume-types/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-volume-types/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-volume-types/example_allowed.yaml + assertions: + - violations: no + - name: update + object: samples/psp-volume-types/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml new file mode 100644 index 000000000..458cb3178 --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml @@ -0,0 +1,64 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspvolumetypes + annotations: + metadata.gatekeeper.sh/title: "Volume Types" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Restricts mountable volume types to those specified by the user. + Corresponds to the `volumes` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +spec: + crd: + spec: + names: + kind: K8sPSPVolumeTypes + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Restricts mountable volume types to those specified by the user. + Corresponds to the `volumes` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + properties: + volumes: + description: "`volumes` is an array of volume types. All volume types can be enabled using `*`." + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspvolumetypes + + import data.lib.exclude_update.is_update + + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + + volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} + field := volume_fields[_] + not input_volume_type_allowed(field) + msg := sprintf("The volume type %v is not allowed, pod: %v. Allowed volume types: %v", [field, input.review.object.metadata.name, input.parameters.volumes]) + } + + # * may be used to allow all volume types + input_volume_type_allowed(field) { + input.parameters.volumes[_] == "*" + } + + input_volume_type_allowed(field) { + field == input.parameters.volumes[_] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml b/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml new file mode 100644 index 000000000..0e9030f27 --- /dev/null +++ b/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml @@ -0,0 +1,16 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-automountserviceaccounttoken-update + labels: + app: nginx-automountserviceaccounttoken + spec: + automountServiceAccountToken: true + containers: + - name: nginx + image: nginx diff --git a/library/general/automount-serviceaccount-token/suite.yaml b/library/general/automount-serviceaccount-token/suite.yaml index 2cbc9064f..cf257d08f 100644 --- a/library/general/automount-serviceaccount-token/suite.yaml +++ b/library/general/automount-serviceaccount-token/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/automount-serviceaccount-token/example_disallowed.yaml assertions: - violations: yes + - name: update + object: samples/automount-serviceaccount-token/update.yaml + assertions: + - violations: no diff --git a/library/general/automount-serviceaccount-token/template.yaml b/library/general/automount-serviceaccount-token/template.yaml index c9f87c42f..82e69ff9c 100644 --- a/library/general/automount-serviceaccount-token/template.yaml +++ b/library/general/automount-serviceaccount-token/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspautomountserviceaccounttokenpod annotations: metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any Pod to enable automountServiceAccountToken. spec: @@ -22,7 +22,12 @@ spec: rego: | package k8sautomountserviceaccounttoken + import data.lib.exclude_update.is_update + violation[{"msg": msg}] { + # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. + not is_update(input.review) + obj := input.review.object mountServiceAccountToken(obj.spec) msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name]) @@ -52,3 +57,10 @@ spec: has_key(x, k) { _ = x[k] } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml b/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml new file mode 100644 index 000000000..c0ff27893 --- /dev/null +++ b/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml @@ -0,0 +1,24 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "1Pi" diff --git a/library/general/ephemeralstoragelimit/suite.yaml b/library/general/ephemeralstoragelimit/suite.yaml index f76b15f06..a6b99410d 100644 --- a/library/general/ephemeralstoragelimit/suite.yaml +++ b/library/general/ephemeralstoragelimit/suite.yaml @@ -27,3 +27,7 @@ tests: object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml assertions: - violations: yes + - name: ephemeral-storage-limit-update + object: samples/container-must-have-ephemeral-storage-limit/update.yaml + assertions: + - violations: no diff --git a/library/general/ephemeralstoragelimit/template.yaml b/library/general/ephemeralstoragelimit/template.yaml index 5362e5ffd..2f7bf1b2b 100644 --- a/library/general/ephemeralstoragelimit/template.yaml +++ b/library/general/ephemeralstoragelimit/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8scontainerephemeralstoragelimit annotations: metadata.gatekeeper.sh/title: "Container ephemeral storage limit" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. @@ -38,6 +38,7 @@ spec: rego: | package k8scontainerephemeralstoragelimit + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt missing(obj, field) = true { @@ -150,10 +151,14 @@ spec: } violation[{"msg": msg}] { + # spec.containers.resources.limits["ephemeral-storage"] field is immutable. + not is_update(input.review) + general_violation[{"msg": msg, "field": "containers"}] } violation[{"msg": msg}] { + not is_update(input.review) general_violation[{"msg": msg, "field": "initContainers"}] } @@ -199,6 +204,12 @@ spec: msg := sprintf("container <%v> ephemeral-storage limit <%v> is higher than the maximum allowed of <%v>", [container.name, storage_orig, max_storage_orig]) } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/library/general/requiredprobes/samples/must-have-probes/update.yaml b/library/general/requiredprobes/samples/must-have-probes/update.yaml new file mode 100644 index 000000000..ff5e91103 --- /dev/null +++ b/library/general/requiredprobes/samples/must-have-probes/update.yaml @@ -0,0 +1,35 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: test-pod1 + spec: + containers: + - name: nginx-1 + image: nginx:1.7.9 + ports: + - containerPort: 80 + livenessProbe: + # tcpSocket: + # port: 80 + # initialDelaySeconds: 5 + # periodSeconds: 10 + volumeMounts: + - mountPath: /tmp/cache + name: cache-volume + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} diff --git a/library/general/requiredprobes/suite.yaml b/library/general/requiredprobes/suite.yaml index 8e8629a92..86c2a229e 100644 --- a/library/general/requiredprobes/suite.yaml +++ b/library/general/requiredprobes/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/must-have-probes/example_disallowed2.yaml assertions: - violations: yes + - name: update + object: samples/must-have-probes/update.yaml + assertions: + - violations: no diff --git a/library/general/requiredprobes/template.yaml b/library/general/requiredprobes/template.yaml index 26417b101..4115a6d98 100644 --- a/library/general/requiredprobes/template.yaml +++ b/library/general/requiredprobes/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8srequiredprobes annotations: metadata.gatekeeper.sh/title: "Required Probes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: Requires Pods to have readiness and/or liveness probes. spec: crd: @@ -30,11 +30,16 @@ spec: rego: | package k8srequiredprobes + import data.lib.exclude_update.is_update + probe_type_set = probe_types { probe_types := {type | type := input.parameters.probeTypes[_]} } violation[{"msg": msg}] { + # Probe fields are immutable. + not is_update(input.review) + container := input.review.object.spec.containers[_] probe := input.parameters.probes[_] probe_is_missing(container, probe) @@ -58,3 +63,10 @@ spec: get_violation_message(container, review, probe) = msg { msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe]) } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/library/general/verifydeprecatedapi/samples/verify-1.22/constraint.yaml b/library/general/verifydeprecatedapi/samples/verify-1.22/constraint.yaml index 637f08079..02b669174 100644 --- a/library/general/verifydeprecatedapi/samples/verify-1.22/constraint.yaml +++ b/library/general/verifydeprecatedapi/samples/verify-1.22/constraint.yaml @@ -25,9 +25,9 @@ spec: kinds: ["IngressClass"] - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["ClusterRole", "ClusterRoleBinding", "Role", "RoleBinding"] - - apiGroups: ["scheduling.k8s.io/v1beta1"] + - apiGroups: ["scheduling.k8s.io"] kinds: ["PriorityClass"] - - apiGroups: ["storage.k8s.io/v1beta1"] + - apiGroups: ["storage.k8s.io"] kinds: ["CSIDriver", "CSINode", "StorageClass", "VolumeAttachment"] parameters: kvs: diff --git a/library/general/verifydeprecatedapi/samples/verify-1.25/constraint.yaml b/library/general/verifydeprecatedapi/samples/verify-1.25/constraint.yaml index 34a2fbba0..bf1a64e01 100644 --- a/library/general/verifydeprecatedapi/samples/verify-1.25/constraint.yaml +++ b/library/general/verifydeprecatedapi/samples/verify-1.25/constraint.yaml @@ -15,8 +15,10 @@ spec: kinds: ["HorizontalPodAutoscaler"] - apiGroups: ["policy"] kinds: ["PodDisruptionBudget", "PodSecurityPolicy"] + - apiGroups: ["node.k8s.io"] + kinds: ["RuntimeClass"] parameters: - kvs: + kvs: - deprecatedAPI: "batch/v1beta1" kinds: ["CronJob"] targetAPI: "batch/v1" diff --git a/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml b/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml new file mode 100644 index 000000000..a79d40a1b --- /dev/null +++ b/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation + spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: true diff --git a/library/pod-security-policy/allow-privilege-escalation/suite.yaml b/library/pod-security-policy/allow-privilege-escalation/suite.yaml index 0c65f18f7..cd7531cfa 100644 --- a/library/pod-security-policy/allow-privilege-escalation/suite.yaml +++ b/library/pod-security-policy/allow-privilege-escalation/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-allow-privilege-escalation-container/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/allow-privilege-escalation/template.yaml b/library/pod-security-policy/allow-privilege-escalation/template.yaml index c473e2731..a7f4694a2 100644 --- a/library/pod-security-policy/allow-privilege-escalation/template.yaml +++ b/library/pod-security-policy/allow-privilege-escalation/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspallowprivilegeescalationcontainer annotations: metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more @@ -39,9 +39,13 @@ spec: rego: | package k8spspallowprivilegeescalationcontainer + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) input_allow_privilege_escalation(c) @@ -68,6 +72,12 @@ spec: object[field] } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml b/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml new file mode 100644 index 000000000..df8ea0070 --- /dev/null +++ b/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml @@ -0,0 +1,26 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["disallowedcapability"] + resources: + limits: + cpu: "100m" + memory: "30Mi" diff --git a/library/pod-security-policy/capabilities/suite.yaml b/library/pod-security-policy/capabilities/suite.yaml index 8f7386e1c..48c2fcb46 100644 --- a/library/pod-security-policy/capabilities/suite.yaml +++ b/library/pod-security-policy/capabilities/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/capabilities-demo/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/capabilities-demo/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/capabilities/template.yaml b/library/pod-security-policy/capabilities/template.yaml index f645e3765..0df32e927 100644 --- a/library/pod-security-policy/capabilities/template.yaml +++ b/library/pod-security-policy/capabilities/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspcapabilities annotations: metadata.gatekeeper.sh/title: "Capabilities" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a @@ -50,9 +50,13 @@ spec: rego: | package capabilities + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # spec.containers.securityContext.capabilities field is immutable. + not is_update(input.review) + container := input.review.object.spec.containers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -60,6 +64,7 @@ spec: } violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -69,6 +74,7 @@ spec: violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -76,6 +82,7 @@ spec: } violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -85,6 +92,7 @@ spec: violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -92,6 +100,7 @@ spec: } violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -126,6 +135,12 @@ spec: out = _default } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml b/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml new file mode 100644 index 000000000..9358c6c5c --- /dev/null +++ b/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml @@ -0,0 +1,23 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-flexvolume-driver-disallowed + labels: + app: nginx-flexvolume-driver + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /test + name: test-volume + readOnly: true + volumes: + - name: test-volume + flexVolume: + driver: "example/testdriver" #"example/lvm" diff --git a/library/pod-security-policy/flexvolume-drivers/suite.yaml b/library/pod-security-policy/flexvolume-drivers/suite.yaml index 1f4a4ef75..fe69966bd 100644 --- a/library/pod-security-policy/flexvolume-drivers/suite.yaml +++ b/library/pod-security-policy/flexvolume-drivers/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-flexvolume-drivers/example_disallowed.yaml assertions: - violations: yes + - name: update + object: samples/psp-flexvolume-drivers/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/flexvolume-drivers/template.yaml b/library/pod-security-policy/flexvolume-drivers/template.yaml index 7cb53e11f..c059681c9 100644 --- a/library/pod-security-policy/flexvolume-drivers/template.yaml +++ b/library/pod-security-policy/flexvolume-drivers/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspflexvolumes annotations: metadata.gatekeeper.sh/title: "FlexVolumes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, @@ -39,7 +39,12 @@ spec: rego: | package k8spspflexvolumes + import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + volume := input_flexvolumes[_] not input_flexvolumes_allowed(volume) msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes]) @@ -58,3 +63,10 @@ spec: has_field(object, field) = true { object[field] } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml new file mode 100644 index 000000000..e4e732be9 --- /dev/null +++ b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml @@ -0,0 +1,21 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls + spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: kernel.msgmax + value: "65536" + - name: net.core.somaxconn + value: "1024" diff --git a/library/pod-security-policy/forbidden-sysctls/suite.yaml b/library/pod-security-policy/forbidden-sysctls/suite.yaml index bcc4caaae..d00f85b8b 100644 --- a/library/pod-security-policy/forbidden-sysctls/suite.yaml +++ b/library/pod-security-policy/forbidden-sysctls/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-forbidden-sysctls/example_allowed.yaml assertions: - violations: no + - name: update + object: samples/psp-forbidden-sysctls/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/forbidden-sysctls/template.yaml b/library/pod-security-policy/forbidden-sysctls/template.yaml index 1e6ee7f25..3d3c1d9a0 100644 --- a/library/pod-security-policy/forbidden-sysctls/template.yaml +++ b/library/pod-security-policy/forbidden-sysctls/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspforbiddensysctls annotations: metadata.gatekeeper.sh/title: "Forbidden Sysctls" - metadata.gatekeeper.sh/version: 1.1.1 + metadata.gatekeeper.sh/version: 1.1.2 description: >- Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. @@ -42,8 +42,13 @@ spec: rego: | package k8spspforbiddensysctls + import data.lib.exclude_update.is_update + # Block if forbidden violation[{"msg": msg, "details": {}}] { + # spec.securityContext.sysctls field is immutable. + not is_update(input.review) + sysctl := input.review.object.spec.securityContext.sysctls[_].name forbidden_sysctl(sysctl) msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) @@ -51,6 +56,7 @@ spec: # Block if not explicitly allowed violation[{"msg": msg, "details": {}}] { + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) @@ -85,3 +91,10 @@ spec: endswith(allowed, "*") startswith(sysctl, trim_suffix(allowed, "*")) } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml b/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml new file mode 100644 index 000000000..c0de7258a --- /dev/null +++ b/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml @@ -0,0 +1,22 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: fsgroup-disallowed + spec: + securityContext: + fsGroup: 2000 # directory will have group ID 2000 + volumes: + - name: fsgroup-demo-vol + emptyDir: {} + containers: + - name: fsgroup-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: fsgroup-demo-vol + mountPath: /data/demo diff --git a/library/pod-security-policy/fsgroup/suite.yaml b/library/pod-security-policy/fsgroup/suite.yaml index f24cb6a35..cb102e785 100644 --- a/library/pod-security-policy/fsgroup/suite.yaml +++ b/library/pod-security-policy/fsgroup/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-fsgroup/example_allowed.yaml assertions: - violations: no + - name: update + object: samples/psp-fsgroup/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/fsgroup/template.yaml b/library/pod-security-policy/fsgroup/template.yaml index 0839855e2..d3f56af81 100644 --- a/library/pod-security-policy/fsgroup/template.yaml +++ b/library/pod-security-policy/fsgroup/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspfsgroup annotations: metadata.gatekeeper.sh/title: "FS Group" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see @@ -47,7 +47,12 @@ spec: rego: | package k8spspfsgroup + import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.fsGroup field is immutable. + not is_update(input.review) + spec := input.review.object.spec not input_fsGroup_allowed(spec) msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) @@ -91,3 +96,10 @@ spec: has_field(object, field) = true { object[field] } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml b/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml new file mode 100644 index 000000000..68b28a536 --- /dev/null +++ b/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml @@ -0,0 +1,23 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host diff --git a/library/pod-security-policy/host-filesystem/suite.yaml b/library/pod-security-policy/host-filesystem/suite.yaml index ec28e4ffc..5441df8cc 100644 --- a/library/pod-security-policy/host-filesystem/suite.yaml +++ b/library/pod-security-policy/host-filesystem/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-host-filesystem/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-host-filesystem/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/host-filesystem/template.yaml b/library/pod-security-policy/host-filesystem/template.yaml index c61305e91..2ef796fd4 100644 --- a/library/pod-security-policy/host-filesystem/template.yaml +++ b/library/pod-security-policy/host-filesystem/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spsphostfilesystem annotations: metadata.gatekeeper.sh/title: "Host Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, @@ -42,7 +42,12 @@ spec: rego: | package k8spsphostfilesystem + import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + volume := input_hostpath_volumes[_] allowedPaths := get_allowed_paths(input) input_hostpath_violation(allowedPaths, volume) @@ -134,3 +139,10 @@ spec: input_containers[c] { c := input.review.object.spec.ephemeralContainers[_] } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml b/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml new file mode 100644 index 000000000..29e17f13a --- /dev/null +++ b/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-namespace-disallowed + labels: + app: nginx-host-namespace + spec: + hostPID: true + hostIPC: true + containers: + - name: nginx + image: nginx diff --git a/library/pod-security-policy/host-namespaces/suite.yaml b/library/pod-security-policy/host-namespaces/suite.yaml index d274351ff..b8e853d5f 100644 --- a/library/pod-security-policy/host-namespaces/suite.yaml +++ b/library/pod-security-policy/host-namespaces/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-host-namespace/example_disallowed.yaml assertions: - violations: yes + - name: update + object: samples/psp-host-namespace/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/host-namespaces/template.yaml b/library/pod-security-policy/host-namespaces/template.yaml index 0f84e3481..a8b87e419 100644 --- a/library/pod-security-policy/host-namespaces/template.yaml +++ b/library/pod-security-policy/host-namespaces/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spsphostnamespace annotations: metadata.gatekeeper.sh/title: "Host Namespace" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. @@ -29,7 +29,12 @@ spec: rego: | package k8spsphostnamespace + import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update(input.review) + input_share_hostnamespace(input.review.object) msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) } @@ -40,3 +45,10 @@ spec: input_share_hostnamespace(o) { o.spec.hostIPC } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml new file mode 100644 index 000000000..231096430 --- /dev/null +++ b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml @@ -0,0 +1,19 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports + spec: + hostNetwork: true + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/library/pod-security-policy/host-network-ports/suite.yaml b/library/pod-security-policy/host-network-ports/suite.yaml index 86593fc9d..710df69eb 100644 --- a/library/pod-security-policy/host-network-ports/suite.yaml +++ b/library/pod-security-policy/host-network-ports/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-host-network-ports/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-host-network-ports/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/host-network-ports/template.yaml b/library/pod-security-policy/host-network-ports/template.yaml index 12cbe960e..31a9d9e56 100644 --- a/library/pod-security-policy/host-network-ports/template.yaml +++ b/library/pod-security-policy/host-network-ports/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spsphostnetworkingports annotations: metadata.gatekeeper.sh/title: "Host Networking Ports" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and @@ -49,9 +49,13 @@ spec: rego: | package k8spsphostnetworkingports + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.hostNetwork field is immutable. + not is_update(input.review) + input_share_hostnetwork(input.review.object) msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) } @@ -86,6 +90,12 @@ spec: not is_exempt(c) } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml new file mode 100644 index 000000000..08f36044c --- /dev/null +++ b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged + spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/library/pod-security-policy/privileged-containers/suite.yaml b/library/pod-security-policy/privileged-containers/suite.yaml index 593f96015..c2e484fc5 100644 --- a/library/pod-security-policy/privileged-containers/suite.yaml +++ b/library/pod-security-policy/privileged-containers/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-privileged-container/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-privileged-container/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/privileged-containers/template.yaml b/library/pod-security-policy/privileged-containers/template.yaml index e1434ebdd..c552c193d 100644 --- a/library/pod-security-policy/privileged-containers/template.yaml +++ b/library/pod-security-policy/privileged-containers/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspprivilegedcontainer annotations: metadata.gatekeeper.sh/title: "Privileged Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more @@ -39,9 +39,13 @@ spec: rego: | package k8spspprivileged + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.privileged field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) c.securityContext.privileged @@ -60,6 +64,12 @@ spec: c := input.review.object.spec.ephemeralContainers[_] } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml new file mode 100644 index 000000000..dc21b1142 --- /dev/null +++ b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount + spec: + containers: + - name: nginx + image: nginx + securityContext: + procMount: Unmasked #Default diff --git a/library/pod-security-policy/proc-mount/suite.yaml b/library/pod-security-policy/proc-mount/suite.yaml index 26dd5eb0a..501493e14 100644 --- a/library/pod-security-policy/proc-mount/suite.yaml +++ b/library/pod-security-policy/proc-mount/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-proc-mount/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-proc-mount/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/proc-mount/template.yaml b/library/pod-security-policy/proc-mount/template.yaml index 1f238a7d3..bbf2244da 100644 --- a/library/pod-security-policy/proc-mount/template.yaml +++ b/library/pod-security-policy/proc-mount/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspprocmount annotations: metadata.gatekeeper.sh/title: "Proc Mount" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.0.2 description: >- Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more @@ -50,9 +50,13 @@ spec: rego: | package k8spspprocmount + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.procMount field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) allowedProcMount := get_allowed_proc_mount(input) @@ -106,6 +110,12 @@ spec: lower(str) == "unmasked" } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml b/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml new file mode 100644 index 000000000..b31ae5e3a --- /dev/null +++ b/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem + spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/library/pod-security-policy/read-only-root-filesystem/suite.yaml b/library/pod-security-policy/read-only-root-filesystem/suite.yaml index 4df3de82f..db736886f 100644 --- a/library/pod-security-policy/read-only-root-filesystem/suite.yaml +++ b/library/pod-security-policy/read-only-root-filesystem/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-readonlyrootfilesystem/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/read-only-root-filesystem/template.yaml b/library/pod-security-policy/read-only-root-filesystem/template.yaml index a98ab0094..bca12eeae 100644 --- a/library/pod-security-policy/read-only-root-filesystem/template.yaml +++ b/library/pod-security-policy/read-only-root-filesystem/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspreadonlyrootfilesystem annotations: metadata.gatekeeper.sh/title: "Read Only Root Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a @@ -40,9 +40,13 @@ spec: rego: | package k8spspreadonlyrootfilesystem + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.readOnlyRootFilesystem field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) input_read_only_root_fs(c) @@ -71,6 +75,12 @@ spec: object[field] } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml b/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml new file mode 100644 index 000000000..581419e9d --- /dev/null +++ b/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml @@ -0,0 +1,21 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-selinux-disallowed + labels: + app: nginx-selinux + spec: + containers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s1:c234,c567 + user: sysadm_u + role: sysadm_r + type: svirt_lxc_net_t diff --git a/library/pod-security-policy/selinux/suite.yaml b/library/pod-security-policy/selinux/suite.yaml index f35a2f6a7..1bbaf360e 100644 --- a/library/pod-security-policy/selinux/suite.yaml +++ b/library/pod-security-policy/selinux/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-selinux-v2/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-selinux-v2/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/selinux/template.yaml b/library/pod-security-policy/selinux/template.yaml index fff3cda75..61729eceb 100644 --- a/library/pod-security-policy/selinux/template.yaml +++ b/library/pod-security-policy/selinux/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspselinuxv2 annotations: metadata.gatekeeper.sh/title: "SELinux V2" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. @@ -59,16 +59,23 @@ spec: rego: | package k8spspselinux + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt # Disallow top level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.securityContext.seLinuxOptions field is immutable. + not is_update(input.review) + has_field(input.review.object.spec.securityContext, "seLinuxOptions") not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions]) } # Disallow container level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.seLinuxOptions field is immutable. + not is_update(input.review) + c := input_security_context[_] not is_exempt(c) has_field(c.securityContext, "seLinuxOptions") @@ -109,6 +116,12 @@ spec: object[field] } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml b/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml new file mode 100644 index 000000000..6f4d3ed72 --- /dev/null +++ b/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml @@ -0,0 +1,22 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-users-disallowed + labels: + app: nginx-users + spec: + securityContext: + supplementalGroups: + - 250 + fsGroup: 250 + containers: + - name: nginx + image: nginx + securityContext: + runAsUser: 250 + runAsGroup: 250 diff --git a/library/pod-security-policy/users/suite.yaml b/library/pod-security-policy/users/suite.yaml index 20528f68c..5c6e49640 100644 --- a/library/pod-security-policy/users/suite.yaml +++ b/library/pod-security-policy/users/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-pods-allowed-user-ranges/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/users/template.yaml b/library/pod-security-policy/users/template.yaml index 0d22f23bf..1e572443e 100644 --- a/library/pod-security-policy/users/template.yaml +++ b/library/pod-security-policy/users/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspallowedusers annotations: metadata.gatekeeper.sh/title: "Allowed Users" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and @@ -135,9 +135,13 @@ spec: rego: | package k8spspallowedusers + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. + not is_update(input.review) + fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] field := fields[_] container := input_containers[_] @@ -260,6 +264,12 @@ spec: c := input.review.object.spec.ephemeralContainers[_] } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml b/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml new file mode 100644 index 000000000..f25f07267 --- /dev/null +++ b/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml @@ -0,0 +1,29 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-volume-types-disallowed + labels: + app: nginx-volume-types + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + - name: nginx2 + image: nginx + volumeMounts: + - mountPath: /cache2 + name: demo-vol + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host + - name: demo-vol + emptyDir: {} diff --git a/library/pod-security-policy/volumes/suite.yaml b/library/pod-security-policy/volumes/suite.yaml index b8f91b5a4..083aad6eb 100644 --- a/library/pod-security-policy/volumes/suite.yaml +++ b/library/pod-security-policy/volumes/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-volume-types/example_allowed.yaml assertions: - violations: no + - name: update + object: samples/psp-volume-types/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/volumes/template.yaml b/library/pod-security-policy/volumes/template.yaml index 53f634632..458cb3178 100644 --- a/library/pod-security-policy/volumes/template.yaml +++ b/library/pod-security-policy/volumes/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspvolumetypes annotations: metadata.gatekeeper.sh/title: "Volume Types" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more @@ -35,7 +35,12 @@ spec: rego: | package k8spspvolumetypes + import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} field := volume_fields[_] not input_volume_type_allowed(field) @@ -50,3 +55,10 @@ spec: input_volume_type_allowed(field) { field == input.parameters.volumes[_] } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } diff --git a/scripts/require-sync/go.mod b/scripts/require-sync/go.mod index 933443f9a..b734ae8aa 100644 --- a/scripts/require-sync/go.mod +++ b/scripts/require-sync/go.mod @@ -3,13 +3,16 @@ module require-sync go 1.20 require ( - github.com/open-policy-agent/frameworks/constraint v0.0.0-20230812003220-e24af74adbae - github.com/open-policy-agent/gatekeeper/v3 v3.14.0-beta.0.0.20230831155303-366ba791d009 - k8s.io/apimachinery v0.27.6 + github.com/open-policy-agent/frameworks/constraint v0.0.0-20231030230613-2e0cb3d68575 + github.com/open-policy-agent/gatekeeper/v3 v3.14.0 + k8s.io/apimachinery v0.27.7 ) require ( + cloud.google.com/go/compute/metadata v0.2.3 // indirect + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect + github.com/Microsoft/hcsshim v0.11.0 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect @@ -17,23 +20,22 @@ require ( github.com/aws/aws-sdk-go v1.44.23 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/cenkalti/backoff/v4 v4.2.0 // indirect + github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/containerd/containerd v1.6.19 // indirect + github.com/containerd/containerd v1.7.6 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/docker/cli v20.10.21+incompatible // indirect + github.com/docker/cli v24.0.6+incompatible // indirect github.com/docker/distribution v2.8.2+incompatible // indirect - github.com/docker/docker v20.10.24+incompatible // indirect + github.com/docker/docker v24.0.6+incompatible // indirect github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-units v0.5.0 // indirect - github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/emicklei/go-restful/v3 v3.10.1 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/felixge/httpsnoop v1.0.3 // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/ghodss/yaml v1.0.0 // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/logr v1.2.4 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -49,13 +51,13 @@ require ( github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20220318212150-b2ab0324ddda // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/google/uuid v1.3.1 // indirect github.com/gorilla/mux v1.8.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect github.com/imdario/mergo v0.3.13 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.15.1 // indirect + github.com/klauspost/compress v1.16.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/miekg/dns v1.1.48 // indirect @@ -66,9 +68,9 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/morikuni/aec v1.0.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/open-policy-agent/opa v0.54.0 // indirect + github.com/open-policy-agent/opa v0.57.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc2 // indirect + github.com/opencontainers/image-spec v1.1.0-rc5 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/client_golang v1.16.0 // indirect github.com/prometheus/client_model v0.4.0 // indirect @@ -82,28 +84,28 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.37.0 // indirect - go.opentelemetry.io/otel v1.14.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 // indirect - go.opentelemetry.io/otel/metric v0.34.0 // indirect - go.opentelemetry.io/otel/sdk v1.14.0 // indirect - go.opentelemetry.io/otel/trace v1.14.0 // indirect - go.opentelemetry.io/proto/otlp v0.19.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect + go.opentelemetry.io/otel v1.19.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 // indirect + go.opentelemetry.io/otel/metric v1.19.0 // indirect + go.opentelemetry.io/otel/sdk v1.19.0 // indirect + go.opentelemetry.io/otel/trace v1.19.0 // indirect + go.opentelemetry.io/proto/otlp v1.0.0 // indirect go.uber.org/multierr v1.8.0 // indirect - golang.org/x/net v0.11.0 // indirect - golang.org/x/oauth2 v0.7.0 // indirect - golang.org/x/sync v0.2.0 // indirect - golang.org/x/sys v0.9.0 // indirect - golang.org/x/term v0.9.0 // indirect - golang.org/x/text v0.10.0 // indirect + golang.org/x/net v0.17.0 // indirect + golang.org/x/oauth2 v0.10.0 // indirect + golang.org/x/sync v0.3.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/term v0.13.0 // indirect + golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect - google.golang.org/grpc v1.56.1 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect + google.golang.org/grpc v1.58.2 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect @@ -114,8 +116,8 @@ require ( k8s.io/component-base v0.27.4 // indirect k8s.io/klog/v2 v2.90.1 // indirect k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect - k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect - oras.land/oras-go v1.2.2 // indirect + k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect + oras.land/oras-go v1.2.4 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect sigs.k8s.io/controller-runtime v0.15.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/scripts/require-sync/go.sum b/scripts/require-sync/go.sum index 6bbc4dd63..69592098b 100644 --- a/scripts/require-sync/go.sum +++ b/scripts/require-sync/go.sum @@ -1,50 +1,22 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= -cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= -cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= -cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= -cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= -cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= -cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys= -cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= -cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= -cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= -cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v1.19.1 h1:am86mquDUgjGNWxiGn+5PGLbmgiWXlE/yNWpIpNvuXY= +cloud.google.com/go v0.97.0 h1:3DXvAyifywvq64LfkKaMOmkWPS1CikIQdMe2lY9vxU8= +cloud.google.com/go/compute v1.21.0 h1:JNBsyXVoOoNJtTQcnEY5uYpZIbeCTYIeDe0Xh1bySMk= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= -cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/monitoring v1.13.0 h1:2qsrgXGVoRXpP7otZ14eE1I568zAa92sJSDPyOJvwjM= -cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= -cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= -cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= -cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -cloud.google.com/go/trace v1.9.0 h1:olxC0QHC59zgJVALtgqfD9tGk0lfeCP5/AGXL3Px/no= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +cloud.google.com/go/monitoring v1.15.1 h1:65JhLMd+JiYnXr6j5Z63dUYCuOg770p8a/VC+gil/58= +cloud.google.com/go/trace v1.10.1 h1:EwGdOLCNfYOOPtgqo+D2sDLZmRCEO1AagRTJCU6ztdg= contrib.go.opencensus.io/exporter/ocagent v0.7.0 h1:BEfdCTXfMV30tLZD8c9n64V/tIZX5+9sXiuFLnrr1k8= contrib.go.opencensus.io/exporter/prometheus v0.4.2 h1:sqfsYl5GIY/L570iT+l93ehxaWJs2/OwXtiWwew3oAg= contrib.go.opencensus.io/exporter/stackdriver v0.13.14 h1:zBakwHardp9Jcb8sQHcHpXy/0+JIb1M8KjigCJzx7+4= -dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= -github.com/Microsoft/hcsshim v0.9.7 h1:mKNHW/Xvv1aFH87Jb6ERDzXTJTLPlmzfZ28VBFD/bfg= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/hcsshim v0.11.0 h1:7EFNIY4igHEXUdj1zXgAyU3fLc7QfOKHbkldRVTBdiM= +github.com/Microsoft/hcsshim v0.11.0/go.mod h1:OEthFdQv/AD2RAdzR6Mm1N1KPCztGKDurW1Z8b8VGMM= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= @@ -74,13 +46,12 @@ github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZ github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembjv71DPz3uX/V/6MMlSyD9JBQ6kQ= github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= -github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4= -github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= +github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= @@ -89,14 +60,11 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA= -github.com/containerd/containerd v1.6.19 h1:F0qgQPrG0P2JPgwpxWxYavrVeXAG0ezUIB9Z/4FTUAU= -github.com/containerd/containerd v1.6.19/go.mod h1:HZCDMn4v/Xl2579/MvtOC2M206i+JJ6VxFWU/NetrGY= +github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= +github.com/containerd/containerd v1.7.6 h1:oNAVsnhPoy4BTPQivLgTzI9Oleml9l/+eYIDYXRCYo8= +github.com/containerd/containerd v1.7.6/go.mod h1:SY6lrkkuJT40BVNO37tlYTSnKJnP5AXBc0fhx0q+TJ4= +github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -107,12 +75,12 @@ github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWa github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc= -github.com/docker/cli v20.10.21+incompatible h1:qVkgyYUnOLQ98LtXBrwd/duVqPT2X4SHndOuGsfwyhU= -github.com/docker/cli v20.10.21+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v24.0.6+incompatible h1:fF+XCQCgJjjQNIMjzaSmiKJSCcfcXb3TWTcc7GAneOY= +github.com/docker/cli v24.0.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v20.10.24+incompatible h1:Ugvxm7a8+Gz6vqQYQQ2W7GYq5EUPaAiuPgIfVyI3dYE= -github.com/docker/docker v20.10.24+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.6+incompatible h1:hceabKCtUgDqPu+qm0NgsaXf28Ljf4/pWFL7xjWWDgE= +github.com/docker/docker v24.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= @@ -125,14 +93,13 @@ github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 h1:ZClxb8laGDf5arXfYcAtECDFgAgHklGI8CxgjHnXKJ4= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= -github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= -github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= +github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= -github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= @@ -145,11 +112,7 @@ github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8 github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= @@ -178,26 +141,14 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/golang/glog v1.1.1 h1:jxpi2eWoU84wbX9iIEyAeeoac3FLuifZpY9tcNUD9kw= github.com/golang/glog v1.1.1/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= -github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= @@ -212,8 +163,6 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k= -github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/cel-go v0.12.6 h1:kjeKudqV0OygrAqA9fX6J55S8gj+Jre2tckIm5RoG4M= github.com/google/cel-go v0.12.6/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= @@ -223,46 +172,28 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20220318212150-b2ab0324ddda h1:KdHPvlgeNEDs8rae032MqFG8LVwcSEivcCjNdVOXRmg= github.com/google/pprof v0.0.0-20220318212150-b2ab0324ddda/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= -github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= -github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= -github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.7.1 h1:gF4c0zjUP2H/s/hEGyLA3I0fA2ZWjzYiONAD6cvPr8A= +github.com/googleapis/gax-go/v2 v2.11.0 h1:9V9PWXEsWnPpQhu/PeQIkS4eGzMlTLGgt80cUUI8Ki4= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 h1:lLT7ZLSzGLI08vc9cpd+tYmNWjdKDqyr/2L+f6U12Fk= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= -github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= @@ -277,16 +208,13 @@ github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCV github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.15.1 h1:y9FcTHGyrebwfP0ZZqFiaxTaiDnUrGkJkI+f583BL1A= -github.com/klauspost/compress v1.15.1/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= +github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -322,16 +250,16 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= -github.com/open-policy-agent/frameworks/constraint v0.0.0-20230812003220-e24af74adbae h1:NdSZfqm8lAJG4o8iiQltzsU8Ime2KzfvWY/HtLOddc4= -github.com/open-policy-agent/frameworks/constraint v0.0.0-20230812003220-e24af74adbae/go.mod h1:54/KzLMvA5ndBVpm7B1OjLeV0cUtTLTz2bZ2OtydLpU= -github.com/open-policy-agent/gatekeeper/v3 v3.14.0-beta.0.0.20230831155303-366ba791d009 h1:Skyrrbc6yoeSEQu9Muv2qnAR5HRUrkIATIDdNC6G574= -github.com/open-policy-agent/gatekeeper/v3 v3.14.0-beta.0.0.20230831155303-366ba791d009/go.mod h1:2SL0h/mUhORqyjrgPdEZzCF0+brv1KkyLUGGoZmzKUk= -github.com/open-policy-agent/opa v0.54.0 h1:mGEsK+R5ZTMV8fzzbNzmYDGbTmY30wmRCIHmtm2VqWs= -github.com/open-policy-agent/opa v0.54.0/go.mod h1:d8I8jWygKGi4+T4H07qrbeCdH1ITLsEfT0M+bsvxWw0= +github.com/open-policy-agent/frameworks/constraint v0.0.0-20231030230613-2e0cb3d68575 h1:rhln22JjTgsJGL8gDK4qEM372Ei1PPQk4ZTIOKM9WvY= +github.com/open-policy-agent/frameworks/constraint v0.0.0-20231030230613-2e0cb3d68575/go.mod h1:AaCd/gbQ31R7btHO450Kdp18/Zmvn7hjEt7Qbp+MfJM= +github.com/open-policy-agent/gatekeeper/v3 v3.14.0 h1:bQV5temnG6lQHk0Bm7paT2T3oV5cZqtjp4MjiWwiKrE= +github.com/open-policy-agent/gatekeeper/v3 v3.14.0/go.mod h1:F8UlPaPg/6TuZcVoYLj1+1ptnxOCOxKyasEIv4IzSOs= +github.com/open-policy-agent/opa v0.57.1 h1:LAa4Z0UkpjV94nRLy6XCvgOacQ6N1jf8TJLMUIzFRqc= +github.com/open-policy-agent/opa v0.57.1/go.mod h1:YYcVsWcdOW47owR0zElx8HPYZK60vL0MOPsEmh13us4= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034= -github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= +github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= +github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -363,7 +291,6 @@ github.com/prometheus/statsd_exporter v0.22.7 h1:7Pji/i2GuhK6Lu7DHrtTkFmNBCudCPT github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= -github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= @@ -380,13 +307,12 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -397,39 +323,30 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1: github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg= github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= -github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY= -go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= -go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.37.0 h1:yt2NKzK7Vyo6h0+X8BA4FpreZQTlVEIarnsBP/H5mzs= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.37.0/go.mod h1:+ARmXlUlc51J7sZeCBkBJNdHGySrdOzgzxp6VWRWM1U= -go.opentelemetry.io/otel v1.14.0 h1:/79Huy8wbf5DnIPhemGB+zEPVwnN6fuQybr/SRXa6hM= -go.opentelemetry.io/otel v1.14.0/go.mod h1:o4buv+dJzx8rohcUeRmWUZhqupFvzWis188WlggnNeU= -go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 h1:/fXHZHGvro6MVqV34fJzDhi7sHGpX3Ej/Qjmfn003ho= -go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0/go.mod h1:UFG7EBMRdXyFstOwH028U0sVf+AvukSGhF0g8+dmNG8= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 h1:TKf2uAs2ueguzLaxOCBXNpHxfO/aC7PAdDsSH0IbeRQ= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0/go.mod h1:HrbCVv40OOLTABmOn1ZWty6CHXkU8DK/Urc43tHug70= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 h1:ap+y8RXX3Mu9apKVtOkM6WSFESLM8K3wNQyOU8sWHcc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0/go.mod h1:5w41DY6S9gZrbjuq6Y+753e96WfPha5IcsOSZTtullM= -go.opentelemetry.io/otel/metric v0.34.0 h1:MCPoQxcg/26EuuJwpYN1mZTeCYAUGx8ABxfW07YkjP8= -go.opentelemetry.io/otel/metric v0.34.0/go.mod h1:ZFuI4yQGNCupurTXCwkeD/zHBt+C2bR7bw5JqUm/AP8= -go.opentelemetry.io/otel/sdk v1.14.0 h1:PDCppFRDq8A1jL9v6KMI6dYesaq+DFcDZvjsoGvxGzY= -go.opentelemetry.io/otel/sdk v1.14.0/go.mod h1:bwIC5TjrNG6QDCHNWvW4HLHtUQ4I+VQDsnjhvyZCALM= -go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyKcFq/M= -go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0/go.mod h1:62CPTSry9QZtOaSsE3tOzhx6LzDhHnXJ6xHeMNNiM6Q= +go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs= +go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 h1:3d+S281UTjM+AbF31XSOYn1qXn3BgIdWl8HNEpx08Jk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0/go.mod h1:0+KuTDyKL4gjKCF75pHOX4wuzYDUZYfAQdSu43o+Z2I= +go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE= +go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= +go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o= +go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A= +go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg= +go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw= -go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= +go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= @@ -438,39 +355,13 @@ go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95a go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= -golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= -golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= -golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= -golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= -golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= -golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= -golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= -golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -482,82 +373,38 @@ golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU= -golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g= -golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= +golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= +golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= -golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= +golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -570,68 +417,29 @@ golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s= -golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.9.0 h1:GRRCnKYhdQrD8kfRAdQ6Zcw1P0OcELxGLKJvtjVMZ28= -golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58= -golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= @@ -641,83 +449,30 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc= gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= -google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= -google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= -google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.114.0 h1:1xQPji6cO2E2vLiI+C/XiFAnsn1WV3mjaEwGLhi3grE= +google.golang.org/api v0.126.0 h1:q4GJq+cAdMAC7XP7njvQ4tvohGLiSlytuL4BQxbIZ+o= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= -google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= +google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 h1:Z0hjGZePRE0ZBWotvtrwxFNrNE9CUAGtplaDK5NNI/g= +google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 h1:FmF5cCW94Ij59cfpoLiwTgodWmm60eEV0CjlsVg2fuw= +google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= -google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= -google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= -google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= -google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.56.1 h1:z0dNfjIl0VpaZ9iSVjA6daGatAYwPGstTjt5vkRMFkQ= -google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.58.2 h1:SXUpjxeVF3FKrTYQI4f4KvbGD5u2xccdYdurwowix5I= +google.golang.org/grpc v1.58.2/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -726,20 +481,17 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -754,20 +506,15 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= +gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs= k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y= k8s.io/apiextensions-apiserver v0.27.4 h1:ie1yZG4nY/wvFMIR2hXBeSVq+HfNzib60FjnBYtPGSs= k8s.io/apiextensions-apiserver v0.27.4/go.mod h1:KHZaDr5H9IbGEnSskEUp/DsdXe1hMQ7uzpQcYUFt2bM= -k8s.io/apimachinery v0.27.6 h1:mGU8jmBq5o8mWBov+mLjdTBcU+etTE19waies4AQ6NE= -k8s.io/apimachinery v0.27.6/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= +k8s.io/apimachinery v0.27.7 h1:Gxgtb7Y/Rsu8ymgmUEaiErkxa6RY4oTd8kNUI6SUR58= +k8s.io/apimachinery v0.27.7/go.mod h1:jBGQgTjkw99ef6q5hv1YurDd3BqKDk9YRxmX0Ozo0i8= k8s.io/apiserver v0.27.4 h1:ncZ0MBR9yQ/Gf34rtu1EK+HqT8In1YpfAUINu/Akvho= k8s.io/apiserver v0.27.4/go.mod h1:GDEFRfFZ4/l+pAvwYRnoSfz0K4j3TWiN4WsG2KnRteE= k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk= @@ -778,13 +525,10 @@ k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= -k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= -k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -oras.land/oras-go v1.2.2 h1:0E9tOHUfrNH7TCDk5KU0jVBEzCqbfdyuVfGmJ7ZeRPE= -oras.land/oras-go v1.2.2/go.mod h1:Apa81sKoZPpP7CDciE006tSZ0x3Q3+dOoBcMZ/aNxvw= -rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= -rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 h1:kmDqav+P+/5e1i9tFfHq1qcF3sOrDp+YEkVDAHu7Jwk= +k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +oras.land/oras-go v1.2.4 h1:djpBY2/2Cs1PV87GSJlxv4voajVOMZxqqtq9AB8YNvY= +oras.land/oras-go v1.2.4/go.mod h1:DYcGfb3YF1nKjcezfX2SNlDAeQFKSXmf+qrFmrh4324= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 h1:trsWhjU5jZrx6UvFu4WzQDrN7Pga4a7Qg+zcfcj64PA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2/go.mod h1:+qG7ISXqCDVVcyO8hLn12AKVYYUjM7ftlqsqmrhMZE0= sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU= diff --git a/scripts/website/generate.go b/scripts/website/generate.go index 62496ed03..fd0d6b9e9 100644 --- a/scripts/website/generate.go +++ b/scripts/website/generate.go @@ -10,6 +10,7 @@ import ( "strings" "gopkg.in/yaml.v3" + "k8s.io/utils/strings/slices" ) const ( @@ -28,6 +29,9 @@ const ( mutationPattern = `(\s*)(type:\s+'category',\s+label:\s+'Mutation',\s+collapsed:\s+true,\s+items:\s*\[\s)(\s*)([^\]]*,)` ) +// Skip including examples for the following Kinds. +var skipExampleKinds = []string{"AdmissionReview"} + // Suite ... // ToDo (nilekh): Get this struct from the Gatekeeper repo. type Suite struct { @@ -140,7 +144,20 @@ func main() { fmt.Println("error while reading ", testCase.Object) panic(err) } - examples += fmt.Sprintf("
\n%s\n\n```yaml\n%s\n```\n\nUsage\n\n```shell\nkubectl apply -f %s\n```\n\n
\n", testCase.Name, exampleContent, exampleRawURL) + + exampleResource := make(map[string]interface{}) + err = yaml.Unmarshal(exampleContent, &exampleResource) + if err != nil { + fmt.Printf("error while unmarshaling: %v", exampleRawURL) + panic(err) + } + + if exampleKind, ok := exampleResource["kind"].(string); !ok { + fmt.Printf("error while parsing kind: %v", exampleRawURL) + panic(err) + } else if !slices.Contains(skipExampleKinds, exampleKind) { + examples += fmt.Sprintf("
\n%s\n\n```yaml\n%s\n```\n\nUsage\n\n```shell\nkubectl apply -f %s\n```\n\n
\n", testCase.Name, exampleContent, exampleRawURL) + } } allExamples += fmt.Sprintf("
\n%s
\n\n%s\n%s\n\n
", test.Name, constraintExample, examples) diff --git a/src/general/automount-serviceaccount-token/constraint.tmpl b/src/general/automount-serviceaccount-token/constraint.tmpl index b5fec0dd3..9b5a9531b 100644 --- a/src/general/automount-serviceaccount-token/constraint.tmpl +++ b/src/general/automount-serviceaccount-token/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspautomountserviceaccounttokenpod annotations: metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any Pod to enable automountServiceAccountToken. spec: @@ -21,3 +21,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/general/automount-serviceaccount-token/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/general/automount-serviceaccount-token/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/general/automount-serviceaccount-token/lib_exclude_update.rego b/src/general/automount-serviceaccount-token/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/general/automount-serviceaccount-token/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/general/automount-serviceaccount-token/src.rego b/src/general/automount-serviceaccount-token/src.rego index 88fd1aec9..55f6f43a7 100644 --- a/src/general/automount-serviceaccount-token/src.rego +++ b/src/general/automount-serviceaccount-token/src.rego @@ -1,6 +1,11 @@ package k8sautomountserviceaccounttoken +import data.lib.exclude_update.is_update + violation[{"msg": msg}] { + # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. + not is_update(input.review) + obj := input.review.object mountServiceAccountToken(obj.spec) msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name]) diff --git a/src/general/automount-serviceaccount-token/src_test.rego b/src/general/automount-serviceaccount-token/src_test.rego index 5c3075dec..ec2c75ea2 100644 --- a/src/general/automount-serviceaccount-token/src_test.rego +++ b/src/general/automount-serviceaccount-token/src_test.rego @@ -18,6 +18,12 @@ test_input_pod_automountserviceaccounttoken_not_defined { count(results) > 0 } +test_update { + input := {"review": object.union(input_review_enabled_automountserviceaccounttoken, {"operation": "UPDATE"})} + results := violation with input as input + count(results) == 0 +} + input_review_disabled_automountserviceaccounttoken = {"object": { "metadata": {"name": "nginx"}, "spec": { diff --git a/src/general/ephemeralstoragelimit/constraint.tmpl b/src/general/ephemeralstoragelimit/constraint.tmpl index a97cbfef8..827b6bd52 100644 --- a/src/general/ephemeralstoragelimit/constraint.tmpl +++ b/src/general/ephemeralstoragelimit/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8scontainerephemeralstoragelimit annotations: metadata.gatekeeper.sh/title: "Container ephemeral storage limit" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. @@ -39,4 +39,6 @@ spec: {{ file.Read "src/general/ephemeralstoragelimit/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/general/ephemeralstoragelimit/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/general/ephemeralstoragelimit/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/general/ephemeralstoragelimit/lib_exclude_update.rego b/src/general/ephemeralstoragelimit/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/general/ephemeralstoragelimit/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/general/ephemeralstoragelimit/src.rego b/src/general/ephemeralstoragelimit/src.rego index e42f048e5..88100fbf5 100644 --- a/src/general/ephemeralstoragelimit/src.rego +++ b/src/general/ephemeralstoragelimit/src.rego @@ -1,5 +1,6 @@ package k8scontainerephemeralstoragelimit +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt missing(obj, field) = true { @@ -112,10 +113,14 @@ canonify_storage(orig) = new { } violation[{"msg": msg}] { + # spec.containers.resources.limits["ephemeral-storage"] field is immutable. + not is_update(input.review) + general_violation[{"msg": msg, "field": "containers"}] } violation[{"msg": msg}] { + not is_update(input.review) general_violation[{"msg": msg, "field": "initContainers"}] } diff --git a/src/general/ephemeralstoragelimit/src_test.rego b/src/general/ephemeralstoragelimit/src_test.rego index bcd4625b6..c2ede0c4d 100644 --- a/src/general/ephemeralstoragelimit/src_test.rego +++ b/src/general/ephemeralstoragelimit/src_test.rego @@ -147,6 +147,11 @@ test_input_violations_eph_Ei_with_exemption { results := violation with input as input count(results) == 0 } +test_update { + input := {"review": object.union(review([ctr("a", 4096)]), {"operation": "UPDATE"}), "parameters": {"ephemeral-storage": "2048"}} + results := violation with input as input + count(results) == 0 +} review(containers) = output { output = { diff --git a/src/general/requiredprobes/constraint.tmpl b/src/general/requiredprobes/constraint.tmpl index 6b81857dc..7ebfbb77a 100644 --- a/src/general/requiredprobes/constraint.tmpl +++ b/src/general/requiredprobes/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8srequiredprobes annotations: metadata.gatekeeper.sh/title: "Required Probes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: Requires Pods to have readiness and/or liveness probes. spec: crd: @@ -29,3 +29,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/general/requiredprobes/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/general/requiredprobes/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/general/requiredprobes/lib_exclude_update.rego b/src/general/requiredprobes/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/general/requiredprobes/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/general/requiredprobes/src.rego b/src/general/requiredprobes/src.rego index 532b036d7..b94ca6f2c 100644 --- a/src/general/requiredprobes/src.rego +++ b/src/general/requiredprobes/src.rego @@ -1,10 +1,15 @@ package k8srequiredprobes +import data.lib.exclude_update.is_update + probe_type_set = probe_types { probe_types := {type | type := input.parameters.probeTypes[_]} } violation[{"msg": msg}] { + # Probe fields are immutable. + not is_update(input.review) + container := input.review.object.spec.containers[_] probe := input.parameters.probes[_] probe_is_missing(container, probe) diff --git a/src/general/requiredprobes/src_test.rego b/src/general/requiredprobes/src_test.rego index a860b2e46..0ad2676e2 100644 --- a/src/general/requiredprobes/src_test.rego +++ b/src/general/requiredprobes/src_test.rego @@ -335,6 +335,14 @@ test_two_ctrs_empty_liveness_in_ctr_two_both_empty_probes_in_ctr_one { count(results) == 3 } +test_update { + kind := kinds[_] + input := {"review": object.union(review([{"name": "my-container","image": "my-image:latest", "livenessProbe": {"tcpSocket": {"port":80}}}]), {"operation": "UPDATE"}), + "parameters": parameters} + results := violation with input as input + count(results) == 0 +} + review(containers) = obj { obj = { "kind": { diff --git a/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl b/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl index 3c6abdfe3..e5f6f323f 100644 --- a/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl +++ b/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspallowprivilegeescalationcontainer annotations: metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more @@ -40,4 +40,6 @@ spec: {{ file.Read "src/pod-security-policy/allow-privilege-escalation/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/allow-privilege-escalation/src.rego b/src/pod-security-policy/allow-privilege-escalation/src.rego index 7c16226c1..7c9d74bc1 100644 --- a/src/pod-security-policy/allow-privilege-escalation/src.rego +++ b/src/pod-security-policy/allow-privilege-escalation/src.rego @@ -1,8 +1,12 @@ package k8spspallowprivilegeescalationcontainer +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) input_allow_privilege_escalation(c) diff --git a/src/pod-security-policy/allow-privilege-escalation/src_test.rego b/src/pod-security-policy/allow-privilege-escalation/src_test.rego index bd3fa88e7..a8e380d1f 100644 --- a/src/pod-security-policy/allow-privilege-escalation/src_test.rego +++ b/src/pod-security-policy/allow-privilege-escalation/src_test.rego @@ -40,6 +40,11 @@ test_input_container_many_mixed_privilege_escalation_not_allowed_two { results := violation with input as input count(results) == 2 } +test_update { + input := { "review": object.union(input_review_priv, {"operation": "UPDATE"})} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/capabilities/constraint.tmpl b/src/pod-security-policy/capabilities/constraint.tmpl index a7220f46c..88bd9e262 100644 --- a/src/pod-security-policy/capabilities/constraint.tmpl +++ b/src/pod-security-policy/capabilities/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspcapabilities annotations: metadata.gatekeeper.sh/title: "Capabilities" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a @@ -51,4 +51,6 @@ spec: {{ file.Read "src/pod-security-policy/capabilities/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/capabilities/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/capabilities/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/capabilities/lib_exclude_update.rego b/src/pod-security-policy/capabilities/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/capabilities/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/capabilities/src.rego b/src/pod-security-policy/capabilities/src.rego index 95e4fb529..b60b26a3f 100644 --- a/src/pod-security-policy/capabilities/src.rego +++ b/src/pod-security-policy/capabilities/src.rego @@ -1,8 +1,12 @@ package capabilities +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # spec.containers.securityContext.capabilities field is immutable. + not is_update(input.review) + container := input.review.object.spec.containers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -10,6 +14,7 @@ violation[{"msg": msg}] { } violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -19,6 +24,7 @@ violation[{"msg": msg}] { violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -26,6 +32,7 @@ violation[{"msg": msg}] { } violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -35,6 +42,7 @@ violation[{"msg": msg}] { violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -42,6 +50,7 @@ violation[{"msg": msg}] { } violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) missing_drop_capabilities(container) diff --git a/src/pod-security-policy/capabilities/src_test.rego b/src/pod-security-policy/capabilities/src_test.rego index 4de431a5d..6158a3eea 100644 --- a/src/pod-security-policy/capabilities/src_test.rego +++ b/src/pod-security-policy/capabilities/src_test.rego @@ -134,6 +134,12 @@ test_input_drop_literal_all_x2 { count(results) == 0 } +test_update { + input := { "review": object.union(input_review([cadd(["one"])]), {"operation": "UPDATE"}), "parameters": {"allowedCapabilities": []}} + results := violation with input as input + count(results) == 0 +} + # init containers test_input_all_allowed { input := { "review": input_init_review([cadd(["one", "two"])]), "parameters": {"allowedCapabilities": ["*"]}} diff --git a/src/pod-security-policy/flexvolume-drivers/constraint.tmpl b/src/pod-security-policy/flexvolume-drivers/constraint.tmpl index 609f4c3aa..e0a7b51df 100644 --- a/src/pod-security-policy/flexvolume-drivers/constraint.tmpl +++ b/src/pod-security-policy/flexvolume-drivers/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspflexvolumes annotations: metadata.gatekeeper.sh/title: "FlexVolumes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, @@ -38,3 +38,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/flexvolume-drivers/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/flexvolume-drivers/src.rego b/src/pod-security-policy/flexvolume-drivers/src.rego index b729e221b..1d42653c1 100644 --- a/src/pod-security-policy/flexvolume-drivers/src.rego +++ b/src/pod-security-policy/flexvolume-drivers/src.rego @@ -1,6 +1,11 @@ package k8spspflexvolumes +import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + volume := input_flexvolumes[_] not input_flexvolumes_allowed(volume) msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes]) diff --git a/src/pod-security-policy/flexvolume-drivers/src_test.rego b/src/pod-security-policy/flexvolume-drivers/src_test.rego index 590ee49a0..3b8eb69be 100644 --- a/src/pod-security-policy/flexvolume-drivers/src_test.rego +++ b/src/pod-security-policy/flexvolume-drivers/src_test.rego @@ -54,6 +54,12 @@ test_input_flexvolume_many_mixed_allowed { count(results) == 1 } +test_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_empty} + results := violation with input as input + count(results) == 0 +} + input_review = { "object": { "metadata": { diff --git a/src/pod-security-policy/forbidden-sysctls/constraint.tmpl b/src/pod-security-policy/forbidden-sysctls/constraint.tmpl index 97c294a70..91cecf030 100644 --- a/src/pod-security-policy/forbidden-sysctls/constraint.tmpl +++ b/src/pod-security-policy/forbidden-sysctls/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspforbiddensysctls annotations: metadata.gatekeeper.sh/title: "Forbidden Sysctls" - metadata.gatekeeper.sh/version: 1.1.1 + metadata.gatekeeper.sh/version: 1.1.2 description: >- Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. @@ -41,3 +41,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/forbidden-sysctls/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/forbidden-sysctls/src.rego b/src/pod-security-policy/forbidden-sysctls/src.rego index 5675fc95c..359dd44c7 100644 --- a/src/pod-security-policy/forbidden-sysctls/src.rego +++ b/src/pod-security-policy/forbidden-sysctls/src.rego @@ -1,7 +1,12 @@ package k8spspforbiddensysctls +import data.lib.exclude_update.is_update + # Block if forbidden violation[{"msg": msg, "details": {}}] { + # spec.securityContext.sysctls field is immutable. + not is_update(input.review) + sysctl := input.review.object.spec.securityContext.sysctls[_].name forbidden_sysctl(sysctl) msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) @@ -9,6 +14,7 @@ violation[{"msg": msg, "details": {}}] { # Block if not explicitly allowed violation[{"msg": msg, "details": {}}] { + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) diff --git a/src/pod-security-policy/forbidden-sysctls/src_test.rego b/src/pod-security-policy/forbidden-sysctls/src_test.rego index 5a299028d..d2bd78027 100644 --- a/src/pod-security-policy/forbidden-sysctls/src_test.rego +++ b/src/pod-security-policy/forbidden-sysctls/src_test.rego @@ -153,6 +153,12 @@ test_input_sysctls_allowed_and_forbidden { count(results) == 2 } +test_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_wildcard} + results := violation with input as input + count(results) == 0 +} + input_review = { "object": { "metadata": { diff --git a/src/pod-security-policy/fsgroup/constraint.tmpl b/src/pod-security-policy/fsgroup/constraint.tmpl index 259927c9f..34a8b2a99 100644 --- a/src/pod-security-policy/fsgroup/constraint.tmpl +++ b/src/pod-security-policy/fsgroup/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspfsgroup annotations: metadata.gatekeeper.sh/title: "FS Group" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see @@ -46,3 +46,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/fsgroup/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/fsgroup/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/fsgroup/lib_exclude_update.rego b/src/pod-security-policy/fsgroup/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/fsgroup/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/fsgroup/src.rego b/src/pod-security-policy/fsgroup/src.rego index 021e7c561..23690a0de 100644 --- a/src/pod-security-policy/fsgroup/src.rego +++ b/src/pod-security-policy/fsgroup/src.rego @@ -1,6 +1,11 @@ package k8spspfsgroup +import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.fsGroup field is immutable. + not is_update(input.review) + spec := input.review.object.spec not input_fsGroup_allowed(spec) msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) diff --git a/src/pod-security-policy/fsgroup/src_test.rego b/src/pod-security-policy/fsgroup/src_test.rego index ca3c1910f..51fcf59f7 100644 --- a/src/pod-security-policy/fsgroup/src_test.rego +++ b/src/pod-security-policy/fsgroup/src_test.rego @@ -50,6 +50,11 @@ test_input_securitycontext_no_fsgroup_MayRunAs_allowed { results := violation with input as input count(results) == 0 } +test_update { + input := { "review": object.union(input_review_with_fsgroup, {"operation": "UPDATE"}), "parameters": input_parameters_in_list_mustrunas_outofrange} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/host-filesystem/constraint.tmpl b/src/pod-security-policy/host-filesystem/constraint.tmpl index 24dd21682..39af451e1 100644 --- a/src/pod-security-policy/host-filesystem/constraint.tmpl +++ b/src/pod-security-policy/host-filesystem/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spsphostfilesystem annotations: metadata.gatekeeper.sh/title: "Host Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, @@ -41,3 +41,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/host-filesystem/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/host-filesystem/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/host-filesystem/lib_exclude_update.rego b/src/pod-security-policy/host-filesystem/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/host-filesystem/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/host-filesystem/src.rego b/src/pod-security-policy/host-filesystem/src.rego index 3e5ab3b8d..53b140816 100644 --- a/src/pod-security-policy/host-filesystem/src.rego +++ b/src/pod-security-policy/host-filesystem/src.rego @@ -1,6 +1,11 @@ package k8spsphostfilesystem +import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + volume := input_hostpath_volumes[_] allowedPaths := get_allowed_paths(input) input_hostpath_violation(allowedPaths, volume) diff --git a/src/pod-security-policy/host-filesystem/src_test.rego b/src/pod-security-policy/host-filesystem/src_test.rego index 764f1c6bf..1e85733c3 100644 --- a/src/pod-security-policy/host-filesystem/src_test.rego +++ b/src/pod-security-policy/host-filesystem/src_test.rego @@ -105,6 +105,11 @@ test_input_hostpath_allowed_mixed_writable_mixed_parameters { results := violation with input as input count(results) == 0 } +test_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_empty} + results := violation with input as input + count(results) == 0 +} # Init Containers diff --git a/src/pod-security-policy/host-namespaces/constraint.tmpl b/src/pod-security-policy/host-namespaces/constraint.tmpl index 330e67ee9..7ee044381 100644 --- a/src/pod-security-policy/host-namespaces/constraint.tmpl +++ b/src/pod-security-policy/host-namespaces/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spsphostnamespace annotations: metadata.gatekeeper.sh/title: "Host Namespace" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. @@ -28,3 +28,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/host-namespaces/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/host-namespaces/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/host-namespaces/lib_exclude_update.rego b/src/pod-security-policy/host-namespaces/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/host-namespaces/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/host-namespaces/src.rego b/src/pod-security-policy/host-namespaces/src.rego index 3f6012fe3..af50c1cb8 100644 --- a/src/pod-security-policy/host-namespaces/src.rego +++ b/src/pod-security-policy/host-namespaces/src.rego @@ -1,6 +1,11 @@ package k8spsphostnamespace +import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update(input.review) + input_share_hostnamespace(input.review.object) msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) } diff --git a/src/pod-security-policy/host-namespaces/src_test.rego b/src/pod-security-policy/host-namespaces/src_test.rego index dab022864..f5c13e774 100644 --- a/src/pod-security-policy/host-namespaces/src_test.rego +++ b/src/pod-security-policy/host-namespaces/src_test.rego @@ -20,6 +20,11 @@ test_input_hostnamespace_both_not_allowed { results := violation with input as input count(results) > 0 } +test_update { + input := { "review": object.union(input_review_hostPID, {"operation": "UPDATE"})} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/host-network-ports/constraint.tmpl b/src/pod-security-policy/host-network-ports/constraint.tmpl index 9d32025e8..abf6653c0 100644 --- a/src/pod-security-policy/host-network-ports/constraint.tmpl +++ b/src/pod-security-policy/host-network-ports/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spsphostnetworkingports annotations: metadata.gatekeeper.sh/title: "Host Networking Ports" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and @@ -50,4 +50,6 @@ spec: {{ file.Read "src/pod-security-policy/host-network-ports/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/host-network-ports/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/host-network-ports/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/host-network-ports/lib_exclude_update.rego b/src/pod-security-policy/host-network-ports/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/host-network-ports/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/host-network-ports/src.rego b/src/pod-security-policy/host-network-ports/src.rego index bc5b5b0e7..1038815c8 100644 --- a/src/pod-security-policy/host-network-ports/src.rego +++ b/src/pod-security-policy/host-network-ports/src.rego @@ -1,8 +1,12 @@ package k8spsphostnetworkingports +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.hostNetwork field is immutable. + not is_update(input.review) + input_share_hostnetwork(input.review.object) msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) } diff --git a/src/pod-security-policy/host-network-ports/src_test.rego b/src/pod-security-policy/host-network-ports/src_test.rego index b467c6aa3..0e54e11d4 100644 --- a/src/pod-security-policy/host-network-ports/src_test.rego +++ b/src/pod-security-policy/host-network-ports/src_test.rego @@ -41,6 +41,11 @@ test_input_with_hostnetwork_container_ports_not_allowed_but_exempt { trace(sprintf("%v", [results])) count(results) == 0 } +test_update { + input := { "review": object.union(input_review_no_hostnetwork_container_ports_outofrange, {"operation": "UPDATE"}), "parameters": input_parameters_ports} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/privileged-containers/constraint.tmpl b/src/pod-security-policy/privileged-containers/constraint.tmpl index 4090b8541..90a195925 100644 --- a/src/pod-security-policy/privileged-containers/constraint.tmpl +++ b/src/pod-security-policy/privileged-containers/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspprivilegedcontainer annotations: metadata.gatekeeper.sh/title: "Privileged Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more @@ -40,4 +40,6 @@ spec: {{ file.Read "src/pod-security-policy/privileged-containers/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/privileged-containers/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/privileged-containers/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/privileged-containers/lib_exclude_update.rego b/src/pod-security-policy/privileged-containers/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/privileged-containers/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/privileged-containers/src.rego b/src/pod-security-policy/privileged-containers/src.rego index facc61eff..a789e96da 100644 --- a/src/pod-security-policy/privileged-containers/src.rego +++ b/src/pod-security-policy/privileged-containers/src.rego @@ -1,8 +1,12 @@ package k8spspprivileged +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.privileged field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) c.securityContext.privileged diff --git a/src/pod-security-policy/privileged-containers/src_test.rego b/src/pod-security-policy/privileged-containers/src_test.rego index 0e25bd07d..4c1a462a2 100644 --- a/src/pod-security-policy/privileged-containers/src_test.rego +++ b/src/pod-security-policy/privileged-containers/src_test.rego @@ -30,6 +30,11 @@ test_input_container_many_mixed_privileged_not_allowed_two_but_exempt { results := violation with input as input count(results) == 0 } +test_update { + input := { "review": object.union(input_review_priv, {"operation": "UPDATE"})} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/proc-mount/constraint.tmpl b/src/pod-security-policy/proc-mount/constraint.tmpl index 195313b1c..b06f815b6 100644 --- a/src/pod-security-policy/proc-mount/constraint.tmpl +++ b/src/pod-security-policy/proc-mount/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspprocmount annotations: metadata.gatekeeper.sh/title: "Proc Mount" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.0.2 description: >- Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more @@ -51,4 +51,6 @@ spec: {{ file.Read "src/pod-security-policy/proc-mount/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/proc-mount/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/proc-mount/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/proc-mount/lib_exclude_update.rego b/src/pod-security-policy/proc-mount/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/proc-mount/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/proc-mount/src.rego b/src/pod-security-policy/proc-mount/src.rego index f6520441d..cf501c8bd 100644 --- a/src/pod-security-policy/proc-mount/src.rego +++ b/src/pod-security-policy/proc-mount/src.rego @@ -1,8 +1,12 @@ package k8spspprocmount +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.procMount field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) allowedProcMount := get_allowed_proc_mount(input) diff --git a/src/pod-security-policy/proc-mount/src_test.rego b/src/pod-security-policy/proc-mount/src_test.rego index 4488109c1..32452d8fb 100644 --- a/src/pod-security-policy/proc-mount/src_test.rego +++ b/src/pod-security-policy/proc-mount/src_test.rego @@ -65,6 +65,11 @@ test_input_container_many_mixed_proc_mount_allowed_two { results := violation with input as input count(results) == 0 } +test_update { + input := { "review": object.union(input_review_unmasked, {"operation": "UPDATE"}), "parameters": input_parameters_default} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl b/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl index 3d1a4f7c4..3fa6e0607 100644 --- a/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl +++ b/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspreadonlyrootfilesystem annotations: metadata.gatekeeper.sh/title: "Read Only Root Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a @@ -41,4 +41,6 @@ spec: {{ file.Read "src/pod-security-policy/read-only-root-filesystem/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/read-only-root-filesystem/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/read-only-root-filesystem/src.rego b/src/pod-security-policy/read-only-root-filesystem/src.rego index 084051e6b..3d15390f0 100644 --- a/src/pod-security-policy/read-only-root-filesystem/src.rego +++ b/src/pod-security-policy/read-only-root-filesystem/src.rego @@ -1,8 +1,12 @@ package k8spspreadonlyrootfilesystem +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.readOnlyRootFilesystem field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) input_read_only_root_fs(c) diff --git a/src/pod-security-policy/read-only-root-filesystem/src_test.rego b/src/pod-security-policy/read-only-root-filesystem/src_test.rego index da3baf3e4..348613859 100644 --- a/src/pod-security-policy/read-only-root-filesystem/src_test.rego +++ b/src/pod-security-policy/read-only-root-filesystem/src_test.rego @@ -25,6 +25,11 @@ test_input_container_many_mixed_readonlyrootfilesystem_not_allowed_two_but_exemp results := violation with input as input count(results) == 0 } +test_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"})} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/selinux/constraint.tmpl b/src/pod-security-policy/selinux/constraint.tmpl index 4817a5c6e..051b9c694 100644 --- a/src/pod-security-policy/selinux/constraint.tmpl +++ b/src/pod-security-policy/selinux/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspselinuxv2 annotations: metadata.gatekeeper.sh/title: "SELinux V2" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. @@ -60,4 +60,6 @@ spec: {{ file.Read "src/pod-security-policy/selinux/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/selinux/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/selinux/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/selinux/lib_exclude_update.rego b/src/pod-security-policy/selinux/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/selinux/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/selinux/src.rego b/src/pod-security-policy/selinux/src.rego index b9e98ede6..f11ededb9 100644 --- a/src/pod-security-policy/selinux/src.rego +++ b/src/pod-security-policy/selinux/src.rego @@ -1,15 +1,22 @@ package k8spspselinux +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt # Disallow top level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.securityContext.seLinuxOptions field is immutable. + not is_update(input.review) + has_field(input.review.object.spec.securityContext, "seLinuxOptions") not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions]) } # Disallow container level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.seLinuxOptions field is immutable. + not is_update(input.review) + c := input_security_context[_] not is_exempt(c) has_field(c.securityContext, "seLinuxOptions") diff --git a/src/pod-security-policy/selinux/src_test.rego b/src/pod-security-policy/selinux/src_test.rego index eb9aa218b..8d796e8c7 100644 --- a/src/pod-security-policy/selinux/src_test.rego +++ b/src/pod-security-policy/selinux/src_test.rego @@ -133,6 +133,11 @@ test_input_seLinux_options_many_not_allowed_not_in_list_double_seccontext { count(results) == 3 } +test_input_seLinux_options_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_in_list_subset} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/users/constraint.tmpl b/src/pod-security-policy/users/constraint.tmpl index 11a7728fe..2c503e343 100644 --- a/src/pod-security-policy/users/constraint.tmpl +++ b/src/pod-security-policy/users/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspallowedusers annotations: metadata.gatekeeper.sh/title: "Allowed Users" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and @@ -136,4 +136,6 @@ spec: {{ file.Read "src/pod-security-policy/users/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/users/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/users/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/users/lib_exclude_update.rego b/src/pod-security-policy/users/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/users/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/users/src.rego b/src/pod-security-policy/users/src.rego index 6f0b4f4d0..4d28bafd2 100644 --- a/src/pod-security-policy/users/src.rego +++ b/src/pod-security-policy/users/src.rego @@ -1,8 +1,12 @@ package k8spspallowedusers +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. + not is_update(input.review) + fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] field := fields[_] container := input_containers[_] diff --git a/src/pod-security-policy/users/src_test.rego b/src/pod-security-policy/users/src_test.rego index 1fbb9ecc3..6e5979c87 100644 --- a/src/pod-security-policy/users/src_test.rego +++ b/src/pod-security-policy/users/src_test.rego @@ -812,8 +812,11 @@ test_mixed_container_level_all_defined_mixed_in_range_mixed_rules { count(results) == 1 } - - +test_update { + input := {"review": object.union(review(null, [ctr("cont1", run_as_rule(150, 150, null, null))], null), {"operation": "UPDATE"}), "parameters": mixed_all_rules } + results := violation with input as input + count(results) == 0 +} ## Functions ## diff --git a/src/pod-security-policy/volumes/constraint.tmpl b/src/pod-security-policy/volumes/constraint.tmpl index 179800603..40f87e2c3 100644 --- a/src/pod-security-policy/volumes/constraint.tmpl +++ b/src/pod-security-policy/volumes/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspvolumetypes annotations: metadata.gatekeeper.sh/title: "Volume Types" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more @@ -34,3 +34,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/volumes/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/volumes/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/volumes/lib_exclude_update.rego b/src/pod-security-policy/volumes/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/pod-security-policy/volumes/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/volumes/src.rego b/src/pod-security-policy/volumes/src.rego index 00f9d8814..2d10ecf3e 100644 --- a/src/pod-security-policy/volumes/src.rego +++ b/src/pod-security-policy/volumes/src.rego @@ -1,6 +1,11 @@ package k8spspvolumetypes +import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} field := volume_fields[_] not input_volume_type_allowed(field) diff --git a/src/pod-security-policy/volumes/src_test.rego b/src/pod-security-policy/volumes/src_test.rego index 81ba9effd..841e79bf8 100644 --- a/src/pod-security-policy/volumes/src_test.rego +++ b/src/pod-security-policy/volumes/src_test.rego @@ -67,6 +67,12 @@ test_input_volume_type_allowed_in_list_many_volumes_mixed { count(results) == 1 } +test_input_volume_type_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_empty} + results := violation with input as input + count(results) == 0 +} + input_review = { "object": { "metadata": { diff --git a/src/rego/lib_exclude_update/lib_exclude_update.rego b/src/rego/lib_exclude_update/lib_exclude_update.rego new file mode 100644 index 000000000..96433d78a --- /dev/null +++ b/src/rego/lib_exclude_update/lib_exclude_update.rego @@ -0,0 +1,5 @@ +package lib.exclude_update + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/rego/lib_exclude_update/lib_exclude_update_test.rego b/src/rego/lib_exclude_update/lib_exclude_update_test.rego new file mode 100644 index 000000000..82d642756 --- /dev/null +++ b/src/rego/lib_exclude_update/lib_exclude_update_test.rego @@ -0,0 +1,13 @@ +package lib.exclude_update + +test_update { + is_update({"operation": "UPDATE"}) +} + +test_create { + not is_update({"operation": "CREATE"}) +} + +test_empty { + not is_update({"operation": ""}) +} diff --git a/website/docs/validation/allow-privilege-escalation.md b/website/docs/validation/allow-privilege-escalation.md index 8645cdaa8..880f4fee3 100644 --- a/website/docs/validation/allow-privilege-escalation.md +++ b/website/docs/validation/allow-privilege-escalation.md @@ -16,7 +16,7 @@ metadata: name: k8spspallowprivilegeescalationcontainer annotations: metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more @@ -51,9 +51,13 @@ spec: rego: | package k8spspallowprivilegeescalationcontainer + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) input_allow_privilege_escalation(c) @@ -80,6 +84,12 @@ spec: object[field] } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/website/docs/validation/automount-serviceaccount-token.md b/website/docs/validation/automount-serviceaccount-token.md index 7dddd7477..a8a7d03db 100644 --- a/website/docs/validation/automount-serviceaccount-token.md +++ b/website/docs/validation/automount-serviceaccount-token.md @@ -16,7 +16,7 @@ metadata: name: k8spspautomountserviceaccounttokenpod annotations: metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any Pod to enable automountServiceAccountToken. spec: @@ -34,7 +34,12 @@ spec: rego: | package k8sautomountserviceaccounttoken + import data.lib.exclude_update.is_update + violation[{"msg": msg}] { + # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. + not is_update(input.review) + obj := input.review.object mountServiceAccountToken(obj.spec) msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name]) @@ -64,6 +69,13 @@ spec: has_key(x, k) { _ = x[k] } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } ``` diff --git a/website/docs/validation/capabilities.md b/website/docs/validation/capabilities.md index e717bccca..33a9430da 100644 --- a/website/docs/validation/capabilities.md +++ b/website/docs/validation/capabilities.md @@ -16,7 +16,7 @@ metadata: name: k8spspcapabilities annotations: metadata.gatekeeper.sh/title: "Capabilities" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a @@ -62,9 +62,13 @@ spec: rego: | package capabilities + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # spec.containers.securityContext.capabilities field is immutable. + not is_update(input.review) + container := input.review.object.spec.containers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -72,6 +76,7 @@ spec: } violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -81,6 +86,7 @@ spec: violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -88,6 +94,7 @@ spec: } violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -97,6 +104,7 @@ spec: violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -104,6 +112,7 @@ spec: } violation[{"msg": msg}] { + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -138,6 +147,12 @@ spec: out = _default } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/website/docs/validation/ephemeralstoragelimit.md b/website/docs/validation/ephemeralstoragelimit.md index 1042c4fcb..c44abbbe6 100644 --- a/website/docs/validation/ephemeralstoragelimit.md +++ b/website/docs/validation/ephemeralstoragelimit.md @@ -17,7 +17,7 @@ metadata: name: k8scontainerephemeralstoragelimit annotations: metadata.gatekeeper.sh/title: "Container ephemeral storage limit" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. @@ -51,6 +51,7 @@ spec: rego: | package k8scontainerephemeralstoragelimit + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt missing(obj, field) = true { @@ -163,10 +164,14 @@ spec: } violation[{"msg": msg}] { + # spec.containers.resources.limits["ephemeral-storage"] field is immutable. + not is_update(input.review) + general_violation[{"msg": msg, "field": "containers"}] } violation[{"msg": msg}] { + not is_update(input.review) general_violation[{"msg": msg, "field": "initContainers"}] } @@ -212,6 +217,12 @@ spec: msg := sprintf("container <%v> ephemeral-storage limit <%v> is higher than the maximum allowed of <%v>", [container.name, storage_orig, max_storage_orig]) } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/website/docs/validation/flexvolume-drivers.md b/website/docs/validation/flexvolume-drivers.md index 3049852ab..423aa049f 100644 --- a/website/docs/validation/flexvolume-drivers.md +++ b/website/docs/validation/flexvolume-drivers.md @@ -16,7 +16,7 @@ metadata: name: k8spspflexvolumes annotations: metadata.gatekeeper.sh/title: "FlexVolumes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, @@ -51,7 +51,12 @@ spec: rego: | package k8spspflexvolumes + import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + volume := input_flexvolumes[_] not input_flexvolumes_allowed(volume) msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes]) @@ -70,6 +75,13 @@ spec: has_field(object, field) = true { object[field] } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } ``` diff --git a/website/docs/validation/forbidden-sysctls.md b/website/docs/validation/forbidden-sysctls.md index 2cb1a25f4..0891bc036 100644 --- a/website/docs/validation/forbidden-sysctls.md +++ b/website/docs/validation/forbidden-sysctls.md @@ -16,7 +16,7 @@ metadata: name: k8spspforbiddensysctls annotations: metadata.gatekeeper.sh/title: "Forbidden Sysctls" - metadata.gatekeeper.sh/version: 1.1.1 + metadata.gatekeeper.sh/version: 1.1.2 description: >- Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. @@ -54,8 +54,13 @@ spec: rego: | package k8spspforbiddensysctls + import data.lib.exclude_update.is_update + # Block if forbidden violation[{"msg": msg, "details": {}}] { + # spec.securityContext.sysctls field is immutable. + not is_update(input.review) + sysctl := input.review.object.spec.securityContext.sysctls[_].name forbidden_sysctl(sysctl) msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) @@ -63,6 +68,7 @@ spec: # Block if not explicitly allowed violation[{"msg": msg, "details": {}}] { + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) @@ -97,6 +103,13 @@ spec: endswith(allowed, "*") startswith(sysctl, trim_suffix(allowed, "*")) } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } ``` diff --git a/website/docs/validation/fsgroup.md b/website/docs/validation/fsgroup.md index 9e99d2362..cc96a5599 100644 --- a/website/docs/validation/fsgroup.md +++ b/website/docs/validation/fsgroup.md @@ -16,7 +16,7 @@ metadata: name: k8spspfsgroup annotations: metadata.gatekeeper.sh/title: "FS Group" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see @@ -59,7 +59,12 @@ spec: rego: | package k8spspfsgroup + import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.fsGroup field is immutable. + not is_update(input.review) + spec := input.review.object.spec not input_fsGroup_allowed(spec) msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) @@ -103,6 +108,13 @@ spec: has_field(object, field) = true { object[field] } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } ``` diff --git a/website/docs/validation/host-filesystem.md b/website/docs/validation/host-filesystem.md index f1f407799..e709f76e8 100644 --- a/website/docs/validation/host-filesystem.md +++ b/website/docs/validation/host-filesystem.md @@ -16,7 +16,7 @@ metadata: name: k8spsphostfilesystem annotations: metadata.gatekeeper.sh/title: "Host Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, @@ -54,7 +54,12 @@ spec: rego: | package k8spsphostfilesystem + import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + volume := input_hostpath_volumes[_] allowedPaths := get_allowed_paths(input) input_hostpath_violation(allowedPaths, volume) @@ -146,6 +151,13 @@ spec: input_containers[c] { c := input.review.object.spec.ephemeralContainers[_] } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } ``` diff --git a/website/docs/validation/host-namespaces.md b/website/docs/validation/host-namespaces.md index 869b8a37c..26c35ce8c 100644 --- a/website/docs/validation/host-namespaces.md +++ b/website/docs/validation/host-namespaces.md @@ -16,7 +16,7 @@ metadata: name: k8spsphostnamespace annotations: metadata.gatekeeper.sh/title: "Host Namespace" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. @@ -41,7 +41,12 @@ spec: rego: | package k8spsphostnamespace + import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update(input.review) + input_share_hostnamespace(input.review.object) msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) } @@ -52,6 +57,13 @@ spec: input_share_hostnamespace(o) { o.spec.hostIPC } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } ``` diff --git a/website/docs/validation/host-network-ports.md b/website/docs/validation/host-network-ports.md index 96827b4fa..1debe644c 100644 --- a/website/docs/validation/host-network-ports.md +++ b/website/docs/validation/host-network-ports.md @@ -16,7 +16,7 @@ metadata: name: k8spsphostnetworkingports annotations: metadata.gatekeeper.sh/title: "Host Networking Ports" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and @@ -61,9 +61,13 @@ spec: rego: | package k8spsphostnetworkingports + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.hostNetwork field is immutable. + not is_update(input.review) + input_share_hostnetwork(input.review.object) msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) } @@ -98,6 +102,12 @@ spec: not is_exempt(c) } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/website/docs/validation/privileged-containers.md b/website/docs/validation/privileged-containers.md index b4c1f5532..fe56c7d8b 100644 --- a/website/docs/validation/privileged-containers.md +++ b/website/docs/validation/privileged-containers.md @@ -16,7 +16,7 @@ metadata: name: k8spspprivilegedcontainer annotations: metadata.gatekeeper.sh/title: "Privileged Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more @@ -51,9 +51,13 @@ spec: rego: | package k8spspprivileged + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.privileged field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) c.securityContext.privileged @@ -72,6 +76,12 @@ spec: c := input.review.object.spec.ephemeralContainers[_] } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/website/docs/validation/proc-mount.md b/website/docs/validation/proc-mount.md index ae322778e..2fd4cf590 100644 --- a/website/docs/validation/proc-mount.md +++ b/website/docs/validation/proc-mount.md @@ -16,7 +16,7 @@ metadata: name: k8spspprocmount annotations: metadata.gatekeeper.sh/title: "Proc Mount" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.0.2 description: >- Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more @@ -62,9 +62,13 @@ spec: rego: | package k8spspprocmount + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.procMount field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) allowedProcMount := get_allowed_proc_mount(input) @@ -118,6 +122,12 @@ spec: lower(str) == "unmasked" } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/website/docs/validation/read-only-root-filesystem.md b/website/docs/validation/read-only-root-filesystem.md index d2f0a3e26..f87b6d817 100644 --- a/website/docs/validation/read-only-root-filesystem.md +++ b/website/docs/validation/read-only-root-filesystem.md @@ -16,7 +16,7 @@ metadata: name: k8spspreadonlyrootfilesystem annotations: metadata.gatekeeper.sh/title: "Read Only Root Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a @@ -52,9 +52,13 @@ spec: rego: | package k8spspreadonlyrootfilesystem + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.readOnlyRootFilesystem field is immutable. + not is_update(input.review) + c := input_containers[_] not is_exempt(c) input_read_only_root_fs(c) @@ -83,6 +87,12 @@ spec: object[field] } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/website/docs/validation/requiredprobes.md b/website/docs/validation/requiredprobes.md index fd0e743c5..d9c6ea4cc 100644 --- a/website/docs/validation/requiredprobes.md +++ b/website/docs/validation/requiredprobes.md @@ -16,7 +16,7 @@ metadata: name: k8srequiredprobes annotations: metadata.gatekeeper.sh/title: "Required Probes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: Requires Pods to have readiness and/or liveness probes. spec: crd: @@ -42,11 +42,16 @@ spec: rego: | package k8srequiredprobes + import data.lib.exclude_update.is_update + probe_type_set = probe_types { probe_types := {type | type := input.parameters.probeTypes[_]} } violation[{"msg": msg}] { + # Probe fields are immutable. + not is_update(input.review) + container := input.review.object.spec.containers[_] probe := input.parameters.probes[_] probe_is_missing(container, probe) @@ -70,6 +75,13 @@ spec: get_violation_message(container, review, probe) = msg { msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe]) } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } ``` diff --git a/website/docs/validation/selinux.md b/website/docs/validation/selinux.md index 3366abc23..3c33766b5 100644 --- a/website/docs/validation/selinux.md +++ b/website/docs/validation/selinux.md @@ -16,7 +16,7 @@ metadata: name: k8spspselinuxv2 annotations: metadata.gatekeeper.sh/title: "SELinux V2" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. @@ -71,16 +71,23 @@ spec: rego: | package k8spspselinux + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt # Disallow top level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.securityContext.seLinuxOptions field is immutable. + not is_update(input.review) + has_field(input.review.object.spec.securityContext, "seLinuxOptions") not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions]) } # Disallow container level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.seLinuxOptions field is immutable. + not is_update(input.review) + c := input_security_context[_] not is_exempt(c) has_field(c.securityContext, "seLinuxOptions") @@ -121,6 +128,12 @@ spec: object[field] } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/website/docs/validation/users.md b/website/docs/validation/users.md index 9fe178fc3..0b1ddfb77 100644 --- a/website/docs/validation/users.md +++ b/website/docs/validation/users.md @@ -16,7 +16,7 @@ metadata: name: k8spspallowedusers annotations: metadata.gatekeeper.sh/title: "Allowed Users" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and @@ -147,9 +147,13 @@ spec: rego: | package k8spspallowedusers + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. + not is_update(input.review) + fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] field := fields[_] container := input_containers[_] @@ -272,6 +276,12 @@ spec: c := input.review.object.spec.ephemeralContainers[_] } libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } - | package lib.exempt_container diff --git a/website/docs/validation/verifydeprecatedapi.md b/website/docs/validation/verifydeprecatedapi.md index 1ba8a9508..d0f231146 100644 --- a/website/docs/validation/verifydeprecatedapi.md +++ b/website/docs/validation/verifydeprecatedapi.md @@ -238,9 +238,9 @@ spec: kinds: ["IngressClass"] - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["ClusterRole", "ClusterRoleBinding", "Role", "RoleBinding"] - - apiGroups: ["scheduling.k8s.io/v1beta1"] + - apiGroups: ["scheduling.k8s.io"] kinds: ["PriorityClass"] - - apiGroups: ["storage.k8s.io/v1beta1"] + - apiGroups: ["storage.k8s.io"] kinds: ["CSIDriver", "CSINode", "StorageClass", "VolumeAttachment"] parameters: kvs: @@ -382,8 +382,10 @@ spec: kinds: ["HorizontalPodAutoscaler"] - apiGroups: ["policy"] kinds: ["PodDisruptionBudget", "PodSecurityPolicy"] + - apiGroups: ["node.k8s.io"] + kinds: ["RuntimeClass"] parameters: - kvs: + kvs: - deprecatedAPI: "batch/v1beta1" kinds: ["CronJob"] targetAPI: "batch/v1" diff --git a/website/docs/validation/volumes.md b/website/docs/validation/volumes.md index 11c6307d3..f2b8042bd 100644 --- a/website/docs/validation/volumes.md +++ b/website/docs/validation/volumes.md @@ -16,7 +16,7 @@ metadata: name: k8spspvolumetypes annotations: metadata.gatekeeper.sh/title: "Volume Types" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more @@ -47,7 +47,12 @@ spec: rego: | package k8spspvolumetypes + import data.lib.exclude_update.is_update + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update(input.review) + volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} field := volume_fields[_] not input_volume_type_allowed(field) @@ -62,6 +67,13 @@ spec: input_volume_type_allowed(field) { field == input.parameters.volumes[_] } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } ```