Skip to content

Commit

Permalink
fix(k8spspprivilegedcontainer): exemptImages CEL bug (#591)
Browse files Browse the repository at this point in the history
I recently found (#584) that some K8sNativeValidation implementations of
certain templates that iterate over and exempt containers by image had a
bug preventing the exemption logic from working.

I've fixed that bug here by mapping from container struct to
container.image string. I've also added a suite test to verify this.
That case fails without the change to the CEL logic.

Signed-off-by: juliankatz <[email protected]>
Co-authored-by: Sertaç Özercan <[email protected]>
  • Loading branch information
julianKatz and sozercan authored Sep 4, 2024
1 parent 8b37aee commit cd8f2ec
Show file tree
Hide file tree
Showing 17 changed files with 327 additions and 10 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: 1.1.1
name: k8spspprivilegedcontainer
displayName: Privileged Container
createdAt: "2024-08-30T22:14:08Z"
description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
digest: 5d9b2b840bb1f530d3e66cb44d4ab170e7d4b7895d722a51999134a032b61c6f
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/privileged-containers
keywords:
- gatekeeper
- open-policy-agent
- policies
readme: |-
# Privileged Container
Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
install: |-
### Usage
```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml
```
provider:
name: Gatekeeper Library
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: psp-privileged-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
excludedNamespaces: ["kube-system"]
parameters:
exemptImages:
- "safeimages.com/*"
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-privileged-disallowed
labels:
app: nginx-privileged
spec:
ephemeralContainers:
- name: nginx
image: nginx
securityContext:
privileged: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-privileged-allowed
labels:
app: nginx-privileged
spec:
containers:
- name: nginx
image: nginx
securityContext:
privileged: false
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-privileged-allowed-exempt
labels:
app: nginx-privileged
spec:
containers:
- name: nginx
image: safeimages.com/nginx
securityContext:
privileged: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-privileged-disallowed
labels:
app: nginx-privileged
spec:
containers:
- name: nginx
image: nginx
securityContext:
privileged: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
kind: AdmissionReview
apiVersion: admission.k8s.io/v1beta1
request:
operation: "UPDATE"
object:
apiVersion: v1
kind: Pod
metadata:
name: nginx-privileged-disallowed
labels:
app: nginx-privileged
spec:
containers:
- name: nginx
image: nginx
securityContext:
privileged: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
name: privileged-containers
tests:
- name: privileged-containers-disallowed
template: template.yaml
constraint: samples/psp-privileged-container/constraint.yaml
cases:
- name: example-disallowed
object: samples/psp-privileged-container/example_disallowed.yaml
assertions:
- violations: yes
- name: example-allowed
object: samples/psp-privileged-container/example_allowed.yaml
assertions:
- violations: no
- name: disallowed-ephemeral
object: samples/psp-privileged-container/disallowed_ephemeral.yaml
assertions:
- violations: yes
- name: update
object: samples/psp-privileged-container/update.yaml
assertions:
- violations: no
- name: exempted-image
object: samples/psp-privileged-container/example_allowed_exempt.yaml
assertions:
- violations: no
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8spspprivilegedcontainer
annotations:
metadata.gatekeeper.sh/title: "Privileged Container"
metadata.gatekeeper.sh/version: 1.1.1
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
information, see
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
spec:
crd:
spec:
names:
kind: K8sPSPPrivilegedContainer
validation:
openAPIV3Schema:
type: object
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
information, see
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
properties:
exemptImages:
description: >-
Any container that uses an image that matches an entry in this list will be excluded
from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
in order to avoid unexpectedly exempting images from an untrusted repository.
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
code:
- engine: K8sNativeValidation
source:
variables:
- name: containers
expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []'
- name: initContainers
expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []'
- name: ephemeralContainers
expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []'
- name: exemptImagePrefixes
expression: |
!has(variables.params.exemptImages) ? [] :
variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", ""))
- name: exemptImageExplicit
expression: |
!has(variables.params.exemptImages) ? [] :
variables.params.exemptImages.filter(image, !image.endsWith("*"))
- name: exemptImages
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
container.image in variables.exemptImageExplicit ||
variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
).map(container, container.image)
- name: badContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
!(container.image in variables.exemptImages) &&
(has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true)
).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext)
- name: isUpdate
expression: has(request.operation) && request.operation == "UPDATE"
validations:
- expression: variables.isUpdate || size(variables.badContainers) == 0
messageExpression: 'variables.badContainers.join("\n")'
- engine: Rego
source:
rego: |
package k8spspprivileged
import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
# spec.containers.privileged field is immutable.
not is_update(input.review)
c := input_containers[_]
not is_exempt(c)
c.securityContext.privileged
msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext])
}
input_containers[c] {
c := input.review.object.spec.containers[_]
}
input_containers[c] {
c := input.review.object.spec.initContainers[_]
}
input_containers[c] {
c := input.review.object.spec.ephemeralContainers[_]
}
libs:
- |
package lib.exclude_update
is_update(review) {
review.operation == "UPDATE"
}
- |
package lib.exempt_container
is_exempt(container) {
exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
img := container.image
exemption := exempt_images[_]
_matches_exemption(img, exemption)
}
_matches_exemption(img, exemption) {
not endswith(exemption, "*")
exemption == img
}
_matches_exemption(img, exemption) {
endswith(exemption, "*")
prefix := trim_suffix(exemption, "*")
startswith(img, prefix)
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,6 @@ spec:
- apiGroups: [""]
kinds: ["Pod"]
excludedNamespaces: ["kube-system"]
parameters:
exemptImages:
- "safeimages.com/*"
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-privileged-allowed-exempt
labels:
app: nginx-privileged
spec:
containers:
- name: nginx
image: safeimages.com/nginx
securityContext:
privileged: true
4 changes: 4 additions & 0 deletions library/pod-security-policy/privileged-containers/suite.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,7 @@ tests:
object: samples/psp-privileged-container/update.yaml
assertions:
- violations: no
- name: exempted-image
object: samples/psp-privileged-container/example_allowed_exempt.yaml
assertions:
- violations: no
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: k8spspprivilegedcontainer
annotations:
metadata.gatekeeper.sh/title: "Privileged Container"
metadata.gatekeeper.sh/version: 1.1.0
metadata.gatekeeper.sh/version: 1.1.1
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
Expand Down Expand Up @@ -58,15 +58,18 @@ spec:
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
container.image in variables.exemptImageExplicit ||
variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
).map(container, container.image)
- name: badContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
!(container.image in variables.exemptImages) &&
(has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true)
).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext)
- name: isUpdate
expression: has(request.operation) && request.operation == "UPDATE"
validations:
- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0'
- expression: variables.isUpdate || size(variables.badContainers) == 0
messageExpression: 'variables.badContainers.join("\n")'
- engine: Rego
source:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: k8spspprivilegedcontainer
annotations:
metadata.gatekeeper.sh/title: "Privileged Container"
metadata.gatekeeper.sh/version: 1.1.0
metadata.gatekeeper.sh/version: 1.1.1
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
Expand Down
9 changes: 6 additions & 3 deletions src/pod-security-policy/privileged-containers/src.cel
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,16 @@ variables:
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
container.image in variables.exemptImageExplicit ||
variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))
).map(container, container.image)
- name: badContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
!(container.image in variables.exemptImages) &&
(has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true)
).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext)
- name: isUpdate
expression: has(request.operation) && request.operation == "UPDATE"
validations:
- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0'
messageExpression: 'variables.badContainers.join("\n")'
- expression: variables.isUpdate || size(variables.badContainers) == 0
messageExpression: 'variables.badContainers.join("\n")'
Loading

0 comments on commit cd8f2ec

Please sign in to comment.