-
Notifications
You must be signed in to change notification settings - Fork 327
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(k8spspprivilegedcontainer): exemptImages CEL bug (#591)
I recently found (#584) that some K8sNativeValidation implementations of certain templates that iterate over and exempt containers by image had a bug preventing the exemption logic from working. I've fixed that bug here by mapping from container struct to container.image string. I've also added a suite test to verify this. That case fails without the change to the CEL logic. Signed-off-by: juliankatz <[email protected]> Co-authored-by: Sertaç Özercan <[email protected]>
- Loading branch information
1 parent
8b37aee
commit cd8f2ec
Showing
17 changed files
with
327 additions
and
10 deletions.
There are no files selected for viewing
22 changes: 22 additions & 0 deletions
22
artifacthub/library/pod-security-policy/privileged-containers/1.1.1/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
version: 1.1.1 | ||
name: k8spspprivilegedcontainer | ||
displayName: Privileged Container | ||
createdAt: "2024-08-30T22:14:08Z" | ||
description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | ||
digest: 5d9b2b840bb1f530d3e66cb44d4ab170e7d4b7895d722a51999134a032b61c6f | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/privileged-containers | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# Privileged Container | ||
Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/pod-security-policy/privileged-containers/1.1.1/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
13 changes: 13 additions & 0 deletions
13
...urity-policy/privileged-containers/1.1.1/samples/psp-privileged-container/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sPSPPrivilegedContainer | ||
metadata: | ||
name: psp-privileged-container | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] | ||
excludedNamespaces: ["kube-system"] | ||
parameters: | ||
exemptImages: | ||
- "safeimages.com/*" |
12 changes: 12 additions & 0 deletions
12
...cy/privileged-containers/1.1.1/samples/psp-privileged-container/disallowed_ephemeral.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privileged-disallowed | ||
labels: | ||
app: nginx-privileged | ||
spec: | ||
ephemeralContainers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
privileged: true |
12 changes: 12 additions & 0 deletions
12
...-policy/privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privileged-allowed | ||
labels: | ||
app: nginx-privileged | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
privileged: false |
12 changes: 12 additions & 0 deletions
12
.../privileged-containers/1.1.1/samples/psp-privileged-container/example_allowed_exempt.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privileged-allowed-exempt | ||
labels: | ||
app: nginx-privileged | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: safeimages.com/nginx | ||
securityContext: | ||
privileged: true |
12 changes: 12 additions & 0 deletions
12
...licy/privileged-containers/1.1.1/samples/psp-privileged-container/example_disallowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privileged-disallowed | ||
labels: | ||
app: nginx-privileged | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
privileged: true |
17 changes: 17 additions & 0 deletions
17
...-security-policy/privileged-containers/1.1.1/samples/psp-privileged-container/update.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
kind: AdmissionReview | ||
apiVersion: admission.k8s.io/v1beta1 | ||
request: | ||
operation: "UPDATE" | ||
object: | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privileged-disallowed | ||
labels: | ||
app: nginx-privileged | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
privileged: true |
29 changes: 29 additions & 0 deletions
29
artifacthub/library/pod-security-policy/privileged-containers/1.1.1/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: privileged-containers | ||
tests: | ||
- name: privileged-containers-disallowed | ||
template: template.yaml | ||
constraint: samples/psp-privileged-container/constraint.yaml | ||
cases: | ||
- name: example-disallowed | ||
object: samples/psp-privileged-container/example_disallowed.yaml | ||
assertions: | ||
- violations: yes | ||
- name: example-allowed | ||
object: samples/psp-privileged-container/example_allowed.yaml | ||
assertions: | ||
- violations: no | ||
- name: disallowed-ephemeral | ||
object: samples/psp-privileged-container/disallowed_ephemeral.yaml | ||
assertions: | ||
- violations: yes | ||
- name: update | ||
object: samples/psp-privileged-container/update.yaml | ||
assertions: | ||
- violations: no | ||
- name: exempted-image | ||
object: samples/psp-privileged-container/example_allowed_exempt.yaml | ||
assertions: | ||
- violations: no |
129 changes: 129 additions & 0 deletions
129
artifacthub/library/pod-security-policy/privileged-containers/1.1.1/template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,129 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8spspprivilegedcontainer | ||
annotations: | ||
metadata.gatekeeper.sh/title: "Privileged Container" | ||
metadata.gatekeeper.sh/version: 1.1.1 | ||
description: >- | ||
Controls the ability of any container to enable privileged mode. | ||
Corresponds to the `privileged` field in a PodSecurityPolicy. For more | ||
information, see | ||
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sPSPPrivilegedContainer | ||
validation: | ||
openAPIV3Schema: | ||
type: object | ||
description: >- | ||
Controls the ability of any container to enable privileged mode. | ||
Corresponds to the `privileged` field in a PodSecurityPolicy. For more | ||
information, see | ||
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | ||
properties: | ||
exemptImages: | ||
description: >- | ||
Any container that uses an image that matches an entry in this list will be excluded | ||
from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. | ||
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) | ||
in order to avoid unexpectedly exempting images from an untrusted repository. | ||
type: array | ||
items: | ||
type: string | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
code: | ||
- engine: K8sNativeValidation | ||
source: | ||
variables: | ||
- name: containers | ||
expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []' | ||
- name: initContainers | ||
expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []' | ||
- name: ephemeralContainers | ||
expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []' | ||
- name: exemptImagePrefixes | ||
expression: | | ||
!has(variables.params.exemptImages) ? [] : | ||
variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", "")) | ||
- name: exemptImageExplicit | ||
expression: | | ||
!has(variables.params.exemptImages) ? [] : | ||
variables.params.exemptImages.filter(image, !image.endsWith("*")) | ||
- name: exemptImages | ||
expression: | | ||
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, | ||
container.image in variables.exemptImageExplicit || | ||
variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)) | ||
).map(container, container.image) | ||
- name: badContainers | ||
expression: | | ||
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, | ||
!(container.image in variables.exemptImages) && | ||
(has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true) | ||
).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext) | ||
- name: isUpdate | ||
expression: has(request.operation) && request.operation == "UPDATE" | ||
validations: | ||
- expression: variables.isUpdate || size(variables.badContainers) == 0 | ||
messageExpression: 'variables.badContainers.join("\n")' | ||
- engine: Rego | ||
source: | ||
rego: | | ||
package k8spspprivileged | ||
import data.lib.exclude_update.is_update | ||
import data.lib.exempt_container.is_exempt | ||
violation[{"msg": msg, "details": {}}] { | ||
# spec.containers.privileged field is immutable. | ||
not is_update(input.review) | ||
c := input_containers[_] | ||
not is_exempt(c) | ||
c.securityContext.privileged | ||
msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext]) | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.containers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.initContainers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.ephemeralContainers[_] | ||
} | ||
libs: | ||
- | | ||
package lib.exclude_update | ||
is_update(review) { | ||
review.operation == "UPDATE" | ||
} | ||
- | | ||
package lib.exempt_container | ||
is_exempt(container) { | ||
exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) | ||
img := container.image | ||
exemption := exempt_images[_] | ||
_matches_exemption(img, exemption) | ||
} | ||
_matches_exemption(img, exemption) { | ||
not endswith(exemption, "*") | ||
exemption == img | ||
} | ||
_matches_exemption(img, exemption) { | ||
endswith(exemption, "*") | ||
prefix := trim_suffix(exemption, "*") | ||
startswith(img, prefix) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
...policy/privileged-containers/samples/psp-privileged-container/example_allowed_exempt.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privileged-allowed-exempt | ||
labels: | ||
app: nginx-privileged | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: safeimages.com/nginx | ||
securityContext: | ||
privileged: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.