Add cel for fsgroup

Signed-off-by: Rita Zhang <[email protected]>

artifacthub/library/pod-security-policy/fsgroup/1.0.2/samples/psp-fsgroup/constraint2.yaml

@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPFSGroup
+metadata:
+  name: psp-fsgroup
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    ranges:
+    - min: 1
+      max: 1000

artifacthub/library/pod-security-policy/fsgroup/1.1.0/README.md

@@ -0,0 +1,7 @@
+# Deprecated
+
+**This Policy is deprecated**
+
+Please use the FSGroup settings on the users policy to enforce FSGroup Settings.
+
+[Users Policy](../users)

artifacthub/library/pod-security-policy/fsgroup/1.1.0/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.1.0
+name: k8spspfsgroup
+displayName: FS Group
+createdAt: "2024-07-08T22:14:40Z"
+description: Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+digest: a9a225993a5a5cb56c9fc4ee947b7756fde6025498a7e9dd66fb67718b59d24a
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/fsgroup
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # FS Group
+    Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/fsgroup/1.1.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/pod-security-policy/fsgroup/1.1.0/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/constraint.yaml

@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPFSGroup
+metadata:
+  name: psp-fsgroup
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
+    ranges:
+    - min: 1
+      max: 1000

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/constraint2.yaml

@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPFSGroup
+metadata:
+  name: psp-fsgroup
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    ranges:
+    - min: 1
+      max: 1000

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/example_allowed.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: fsgroup-disallowed
+spec:
+  securityContext:
+    fsGroup: 500 # directory will have group ID 500
+  volumes:
+    - name: fsgroup-demo-vol
+      emptyDir: {}
+  containers:
+    - name: fsgroup-demo
+      image: busybox
+      command: ["sh", "-c", "sleep 1h"]
+      volumeMounts:
+        - name: fsgroup-demo-vol
+          mountPath: /data/demo

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/example_disallowed.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: fsgroup-disallowed
+spec:
+  securityContext:
+    fsGroup: 2000                           # directory will have group ID 2000
+  volumes:
+  - name: fsgroup-demo-vol
+    emptyDir: {}
+  containers:
+  - name: fsgroup-demo
+    image: busybox
+    command: [ "sh", "-c", "sleep 1h" ]
+    volumeMounts:
+    - name: fsgroup-demo-vol
+      mountPath: /data/demo

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/update.yaml

@@ -0,0 +1,22 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+  operation: "UPDATE"
+  object:
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: fsgroup-disallowed
+    spec:
+      securityContext:
+        fsGroup: 2000 # directory will have group ID 2000
+      volumes:
+      - name: fsgroup-demo-vol
+        emptyDir: {}
+      containers:
+      - name: fsgroup-demo
+        image: busybox
+        command: [ "sh", "-c", "sleep 1h" ]
+        volumeMounts:
+        - name: fsgroup-demo-vol
+          mountPath: /data/demo

artifacthub/library/pod-security-policy/fsgroup/1.1.0/suite.yaml

@@ -0,0 +1,37 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: fsgroup
+tests:
+  - name: fsgroup
+    template: template.yaml
+    constraint: samples/psp-fsgroup/constraint.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-fsgroup/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-allowed
+        object: samples/psp-fsgroup/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-fsgroup/update.yaml
+        assertions:
+          - violations: no
+  - name: fsgroup2
+    template: template.yaml
+    constraint: samples/psp-fsgroup/constraint2.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-fsgroup/example_disallowed.yaml
+        assertions:
+          - violations: no
+      - name: example-allowed
+        object: samples/psp-fsgroup/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-fsgroup/update.yaml
+        assertions:
+          - violations: no

artifacthub/library/pod-security-policy/fsgroup/1.1.0/template.yaml

@@ -0,0 +1,119 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8spspfsgroup
+  annotations:
+    metadata.gatekeeper.sh/title: "FS Group"
+    metadata.gatekeeper.sh/version: 1.1.0
+    description: >-
+      Controls allocating an FSGroup that owns the Pod's volumes. Corresponds
+      to the `fsGroup` field in a PodSecurityPolicy. For more information, see
+      https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sPSPFSGroup
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          description: >-
+            Controls allocating an FSGroup that owns the Pod's volumes. Corresponds
+            to the `fsGroup` field in a PodSecurityPolicy. For more information, see
+            https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+          properties:
+            rule:
+              description: "An FSGroup rule name."
+              enum:
+                - MayRunAs
+                - MustRunAs
+                - RunAsAny
+              type: string
+            ranges:
+              type: array
+              description: "GID ranges affected by the rule."
+              items:
+                type: object
+                properties:
+                  min:
+                    description: "The minimum GID in the range, inclusive."
+                    type: integer
+                  max:
+                    description: "The maximum GID in the range, inclusive."
+                    type: integer
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+      - engine: K8sNativeValidation
+        source:
+          variables:
+          - name: fsGroup
+            expression: '!has(variables.anyObject.spec.securityContext) ? "" : !has(variables.anyObject.spec.securityContext.fsGroup) ? "" : variables.anyObject.spec.securityContext.fsGroup'
+          - name: input_fsGroup_allowed
+            expression: |
+              !has(variables.params.rule) ? true : variables.params.rule == "RunAsAny" ? true : variables.params.rule == "MayRunAs" && variables.fsGroup == "" ? true : (variables.params.rule == "MayRunAs" || variables.params.rule == "MustRunAs") && has(variables.params.ranges) && size(variables.params.ranges) > 0 ? variables.params.ranges.all(range, range.min <= variables.fsGroup && range.max >= variables.fsGroup) : false
+          validations:
+          - expression: '(has(request.operation) && request.operation == "UPDATE") || variables.input_fsGroup_allowed'
+            messageExpression: '"The provided pod spec fsGroup is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed fsGroup: " + variables.params.rule'
+      - engine: Rego
+        source:
+          rego: |
+            package k8spspfsgroup
+
+            import data.lib.exclude_update.is_update
+
+            violation[{"msg": msg, "details": {}}] {
+                # spec.securityContext.fsGroup field is immutable.
+                not is_update(input.review)
+                has_field(input.parameters, "rule")
+                spec := input.review.object.spec
+                not input_fsGroup_allowed(spec)
+                msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters])
+            }
+
+            input_fsGroup_allowed(_) {
+                # RunAsAny - No range is required. Allows any fsGroup ID to be specified.
+                input.parameters.rule == "RunAsAny"
+            }
+            input_fsGroup_allowed(spec) {
+                # MustRunAs - Validates pod spec fsgroup against all ranges
+                input.parameters.rule == "MustRunAs"
+                fg := spec.securityContext.fsGroup
+                count(input.parameters.ranges) > 0
+                range := input.parameters.ranges[_]
+                value_within_range(range, fg)
+            }
+            input_fsGroup_allowed(spec) {
+                # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset
+                input.parameters.rule == "MayRunAs"
+                not has_field(spec, "securityContext")
+            }
+            input_fsGroup_allowed(spec) {
+                # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset
+                input.parameters.rule == "MayRunAs"
+                not spec.securityContext.fsGroup
+            }
+            input_fsGroup_allowed(spec) {
+                # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset
+                input.parameters.rule == "MayRunAs"
+                fg := spec.securityContext.fsGroup
+                count(input.parameters.ranges) > 0
+                range := input.parameters.ranges[_]
+                value_within_range(range, fg)
+            }
+            value_within_range(range, value) {
+                range.min <= value
+                range.max >= value
+            }
+            # has_field returns whether an object has a field
+            has_field(object, field) = true {
+                object[field]
+            }
+          libs:
+            - |
+              package lib.exclude_update
+
+              is_update(review) {
+                  review.operation == "UPDATE"
+              }

library/pod-security-policy/fsgroup/samples/psp-fsgroup/constraint2.yaml

@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPFSGroup
+metadata:
+  name: psp-fsgroup
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    ranges:
+    - min: 1
+      max: 1000

library/pod-security-policy/fsgroup/suite.yaml

@@ -19,3 +19,19 @@ tests:
         object: samples/psp-fsgroup/update.yaml
         assertions:
           - violations: no
+  - name: fsgroup2
+    template: template.yaml
+    constraint: samples/psp-fsgroup/constraint2.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-fsgroup/example_disallowed.yaml
+        assertions:
+          - violations: no
+      - name: example-allowed
+        object: samples/psp-fsgroup/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-fsgroup/update.yaml
+        assertions:
+          - violations: no