fix(k8spsphostnetworkingports): null check container.ports (#582)

Previously, the `badContainers` section of the K8sNative validation logic did not verify that the `ports` variable was set on a container spec in a pod. As this template's purpose is to verify that the specified ports fall within a given range, we would expect that _no ports_ is not a violation. Signed-off-by: juliankatz <[email protected]> Co-authored-by: Andrew Peabody <[email protected]>
open-policy-agent · Aug 26, 2024 · d975f10 · d975f10
1 parent caf342f
commit d975f10
Show file tree

Hide file tree

Showing 17 changed files with 379 additions and 7 deletions.
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.2/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.1.2
+name: k8spsphostnetworkingports
+displayName: Host Networking Ports
+createdAt: "2024-08-26T20:25:17Z"
+description: Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+digest: 29aa57aacfb5f7fa92cd7cdc241250ed0ae1619d1706228f03f058e4efe7cabe
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-network-ports
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Host Networking Ports
+    Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-network-ports/1.1.2/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.2/kustomization.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.2/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
diff --git a/...d-security-policy/host-network-ports/1.1.2/samples/psp-host-network-ports/constraint.yaml b/...d-security-policy/host-network-ports/1.1.2/samples/psp-host-network-ports/constraint.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPHostNetworkingPorts
+metadata:
+  name: psp-host-network-ports
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    hostNetwork: true
+    min: 80
+    max: 9000
diff --git a/...ost-network-ports/1.1.2/samples/psp-host-network-ports/constraint_block_host_network.yaml b/...ost-network-ports/1.1.2/samples/psp-host-network-ports/constraint_block_host_network.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPHostNetworkingPorts
+metadata:
+  name: psp-host-network
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    hostNetwork: false
+    exemptImages:
+    - "nginx"
diff --git a/...-policy/host-network-ports/1.1.2/samples/psp-host-network-ports/disallowed_ephemeral.yaml b/...-policy/host-network-ports/1.1.2/samples/psp-host-network-ports/disallowed_ephemeral.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-networking-ports-disallowed
+  labels:
+    app: nginx-host-networking-ports
+spec:
+  hostNetwork: true
+  ephemeralContainers:
+  - name: nginx
+    image: nginx
+    ports:
+    - containerPort: 9001
+      hostPort: 9001
diff --git a/...urity-policy/host-network-ports/1.1.2/samples/psp-host-network-ports/example_allowed.yaml b/...urity-policy/host-network-ports/1.1.2/samples/psp-host-network-ports/example_allowed.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-networking-ports-allowed
+  labels:
+    app: nginx-host-networking-ports
+spec:
+  hostNetwork: false
+  containers:
+  - name: nginx
+    image: nginx
+    ports:
+    - containerPort: 9000
+      hostPort: 80
diff --git a/...icy/host-network-ports/1.1.2/samples/psp-host-network-ports/example_allowed_no_ports.yaml b/...icy/host-network-ports/1.1.2/samples/psp-host-network-ports/example_allowed_no_ports.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-networking-ports-disallowed
+  labels:
+    app: nginx-host-networking-ports
+spec:
+  hostNetwork: true
+  containers:
+  - name: nginx
+    image: nginx
diff --git a/...ty-policy/host-network-ports/1.1.2/samples/psp-host-network-ports/example_disallowed.yaml b/...ty-policy/host-network-ports/1.1.2/samples/psp-host-network-ports/example_disallowed.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-networking-ports-disallowed
+  labels:
+    app: nginx-host-networking-ports
+spec:
+  hostNetwork: true
+  containers:
+  - name: nginx
+    image: nginx
+    ports:
+    - containerPort: 9001
+      hostPort: 9001
diff --git a/...y/pod-security-policy/host-network-ports/1.1.2/samples/psp-host-network-ports/update.yaml b/...y/pod-security-policy/host-network-ports/1.1.2/samples/psp-host-network-ports/update.yaml
@@ -0,0 +1,19 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+  operation: "UPDATE"
+  object:
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: nginx-host-networking-ports-disallowed
+      labels:
+        app: nginx-host-networking-ports
+    spec:
+      hostNetwork: true
+      containers:
+      - name: nginx
+        image: nginx
+        ports:
+        - containerPort: 9001
+          hostPort: 9001
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.2/suite.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.2/suite.yaml
@@ -0,0 +1,50 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: host-network-ports
+tests:
+- name: use-of-host-networking-ports-blocked
+  template: template.yaml
+  constraint: samples/psp-host-network-ports/constraint.yaml
+  cases:
+  - name: example-disallowed
+    object: samples/psp-host-network-ports/example_disallowed.yaml
+    assertions:
+    - violations: yes
+  - name: example-allowed
+    object: samples/psp-host-network-ports/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: disallowed-ephemeral
+    object: samples/psp-host-network-ports/disallowed_ephemeral.yaml
+    assertions:
+    - violations: yes
+  - name: update
+    object: samples/psp-host-network-ports/update.yaml
+    assertions:
+    - violations: no
+  - name: no-ports-specified
+    object: samples/psp-host-network-ports/example_allowed_no_ports.yaml
+    assertions:
+    - violations: no
+- name: use-of-host-network-blocked
+  template: template.yaml
+  constraint: samples/psp-host-network-ports/constraint_block_host_network.yaml
+  cases:
+  - name: example-disallowed
+    object: samples/psp-host-network-ports/example_disallowed.yaml
+    assertions:
+    - violations: yes
+  - name: example-allowed
+    object: samples/psp-host-network-ports/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: disallowed-ephemeral
+    object: samples/psp-host-network-ports/disallowed_ephemeral.yaml
+    assertions:
+    - violations: yes
+  - name: update
+    object: samples/psp-host-network-ports/update.yaml
+    assertions:
+    - violations: no
+
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.1.2/template.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.1.2/template.yaml
@@ -0,0 +1,159 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8spsphostnetworkingports
+  annotations:
+    metadata.gatekeeper.sh/title: "Host Networking Ports"
+    metadata.gatekeeper.sh/version: 1.1.2
+    description: >-
+      Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific
+      ports must be specified. Corresponds to the `hostNetwork` and
+      `hostPorts` fields in a PodSecurityPolicy. For more information, see
+      https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sPSPHostNetworkingPorts
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          description: >-
+            Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific
+            ports must be specified. Corresponds to the `hostNetwork` and
+            `hostPorts` fields in a PodSecurityPolicy. For more information, see
+            https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+          properties:
+            exemptImages:
+              description: >-
+                Any container that uses an image that matches an entry in this list will be excluded
+                from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+                in order to avoid unexpectedly exempting images from an untrusted repository.
+              type: array
+              items:
+                type: string
+            hostNetwork:
+              description: "Determines if the policy allows the use of HostNetwork in the pod spec."
+              type: boolean
+            min:
+              description: "The start of the allowed port range, inclusive."
+              type: integer
+            max:
+              description: "The end of the allowed port range, inclusive."
+              type: integer
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+      - engine: K8sNativeValidation
+        source:
+          variables:
+          - name: containers
+            expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []'
+          - name: initContainers
+            expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []'
+          - name: ephemeralContainers
+            expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []'
+          - name: exemptImagePrefixes
+            expression: |
+              !has(variables.params.exemptImages) ? [] :
+                variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", ""))
+          - name: exemptImageExplicit
+            expression: |
+              !has(variables.params.exemptImages) ? [] : 
+                variables.params.exemptImages.filter(image, !image.endsWith("*"))
+          - name: exemptImages
+            expression: |
+              (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
+                container.image in variables.exemptImageExplicit ||
+                variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
+          - name: badContainers
+            expression: |
+              (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
+                !(container.image in variables.exemptImages) && has(container.ports) &&
+                (
+                  (container.ports.all(port, has(port.hostPort) && has(variables.params.min) && port.hostPort < variables.params.min)) ||
+                  (container.ports.all(port, has(port.hostPort) && has(variables.params.max) && port.hostPort > variables.params.max))
+                )
+              )
+          validations:
+          - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0'
+            messageExpression: '"The specified hostNetwork and hostPort are not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed values: " + variables.params'
+          - expression: |
+              (has(request.operation) && request.operation == "UPDATE") || 
+              (!has(variables.params.hostNetwork) || !variables.params.hostNetwork ? (has(variables.anyObject.spec.hostNetwork) && !variables.anyObject.spec.hostNetwork) : true)
+            messageExpression: '"The specified hostNetwork and hostPort are not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed values: " + variables.params'
+      - engine: Rego
+        source:
+          rego: |
+            package k8spsphostnetworkingports
+
+            import data.lib.exclude_update.is_update
+            import data.lib.exempt_container.is_exempt
+
+            violation[{"msg": msg, "details": {}}] {
+                # spec.hostNetwork field is immutable.
+                not is_update(input.review)
+
+                input_share_hostnetwork(input.review.object)
+                msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters])
+            }
+
+            input_share_hostnetwork(o) {
+                not input.parameters.hostNetwork
+                o.spec.hostNetwork
+            }
+
+            input_share_hostnetwork(_) {
+                hostPort := input_containers[_].ports[_].hostPort
+                hostPort < input.parameters.min
+            }
+
+            input_share_hostnetwork(_) {
+                hostPort := input_containers[_].ports[_].hostPort
+                hostPort > input.parameters.max
+            }
+
+            input_containers[c] {
+                c := input.review.object.spec.containers[_]
+                not is_exempt(c)
+            }
+
+            input_containers[c] {
+                c := input.review.object.spec.initContainers[_]
+                not is_exempt(c)
+            }
+
+            input_containers[c] {
+                c := input.review.object.spec.ephemeralContainers[_]
+                not is_exempt(c)
+            }
+          libs:
+            - |
+              package lib.exclude_update
+
+              is_update(review) {
+                  review.operation == "UPDATE"
+              }
+            - |
+              package lib.exempt_container
+
+              is_exempt(container) {
+                  exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+                  img := container.image
+                  exemption := exempt_images[_]
+                  _matches_exemption(img, exemption)
+              }
+
+              _matches_exemption(img, exemption) {
+                  not endswith(exemption, "*")
+                  exemption == img
+              }
+
+              _matches_exemption(img, exemption) {
+                  endswith(exemption, "*")
+                  prefix := trim_suffix(exemption, "*")
+                  startswith(img, prefix)
+              }
diff --git a/...ty-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_no_ports.yaml b/...ty-policy/host-network-ports/samples/psp-host-network-ports/example_allowed_no_ports.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-networking-ports-disallowed
+  labels:
+    app: nginx-host-networking-ports
+spec:
+  hostNetwork: true
+  containers:
+  - name: nginx
+    image: nginx
diff --git a/library/pod-security-policy/host-network-ports/suite.yaml b/library/pod-security-policy/host-network-ports/suite.yaml
@@ -23,6 +23,10 @@ tests:
     object: samples/psp-host-network-ports/update.yaml
     assertions:
     - violations: no
+  - name: no-ports-specified
+    object: samples/psp-host-network-ports/example_allowed_no_ports.yaml
+    assertions:
+    - violations: no
 - name: use-of-host-network-blocked
   template: template.yaml
   constraint: samples/psp-host-network-ports/constraint_block_host_network.yaml
@@ -43,3 +47,4 @@ tests:
     object: samples/psp-host-network-ports/update.yaml
     assertions:
     - violations: no
+
diff --git a/library/pod-security-policy/host-network-ports/template.yaml b/library/pod-security-policy/host-network-ports/template.yaml
@@ -4,7 +4,7 @@ metadata:
   name: k8spsphostnetworkingports
   annotations:
     metadata.gatekeeper.sh/title: "Host Networking Ports"
-    metadata.gatekeeper.sh/version: 1.1.1
+    metadata.gatekeeper.sh/version: 1.1.2
     description: >-
       Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific
       ports must be specified. Corresponds to the `hostNetwork` and
@@ -72,7 +72,7 @@ spec:
           - name: badContainers
             expression: |
               (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
-                !(container.image in variables.exemptImages) &&
+                !(container.image in variables.exemptImages) && has(container.ports) &&
                 (
                   (container.ports.all(port, has(port.hostPort) && has(variables.params.min) && port.hostPort < variables.params.min)) ||
                   (container.ports.all(port, has(port.hostPort) && has(variables.params.max) && port.hostPort > variables.params.max))

diff --git a/src/pod-security-policy/host-network-ports/constraint.tmpl b/src/pod-security-policy/host-network-ports/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
   name: k8spsphostnetworkingports
   annotations:
     metadata.gatekeeper.sh/title: "Host Networking Ports"
-    metadata.gatekeeper.sh/version: 1.1.1
+    metadata.gatekeeper.sh/version: 1.1.2
     description: >-
       Controls usage of host network namespace by pod containers. HostNetwork verification happens without exception for exemptImages. Specific
       ports must be specified. Corresponds to the `hostNetwork` and