Skip to content

Commit

Permalink
updating rego variable name
Browse files Browse the repository at this point in the history
Signed-off-by: Jaydip Gabani <[email protected]>
  • Loading branch information
JaydipGabani committed Sep 23, 2024
1 parent 3ed88dc commit fbd2560
Show file tree
Hide file tree
Showing 5 changed files with 124 additions and 21 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: k8spspseccompv2
displayName: Seccomp V2
createdAt: "2024-09-05T01:36:31Z"
description: Controls the seccomp profile used by containers. Corresponds to the `securityContext.seccompProfile` field.
digest: 7586bb9d19280fe3e019415023e00db4194d8f64698bb54d075f7942310d4c6c
digest: fcc97db4d44833d76224adc365e78fe3d51202670b24009974d2cbc928e104a1
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/seccompv2
keywords:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -211,16 +211,16 @@ spec:
# Simple allowed Profiles
allowed_profile(profile, _, allowed) {
profile != "Localhost"
temp = allowed[_]
profile == temp.type
allow_profile = allowed[_]
profile == allow_profile.type
}
# annotation localhost without wildcard
allowed_profile(profile, file, allowed) {
profile == "Localhost"
temp = allowed[_]
temp.type == "Localhost"
file == temp.localHostProfile
allow_profile = allowed[_]
allow_profile.type == "Localhost"
file == allow_profile.localHostProfile
}
# The profiles explicitly in the list
Expand Down
113 changes: 108 additions & 5 deletions library/pod-security-policy/seccompv2/template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,109 @@ spec:
targets:
- target: admission.k8s.gatekeeper.sh
code:
- engine: K8sNativeValidation
source:
variables:
- name: containers
expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []'
- name: initContainers
expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []'
- name: ephemeralContainers
expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []'
- name: allowAllProfiles
expression: |
has(variables.params.allowedProfiles) && variables.params.allowedProfiles.exists(profile, profile == "*")
- name: exemptImagePrefixes
expression: |
!has(variables.params.exemptImages) ? [] :
variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", ""))
- name: exemptImageExplicit
expression: |
!has(variables.params.exemptImages) ? [] :
variables.params.exemptImages.filter(image, !image.endsWith("*"))
- name: exemptImages
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
container.image in variables.exemptImageExplicit ||
variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption)))
- name: unverifiedContainers
expression: |
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container,
!variables.allowAllProfiles &&
!(container.image in variables.exemptImages))
- name: inputNonLocalHostProfiles
expression: |
variables.params.allowedProfiles.filter(profile, profile != "Localhost").map(profile, {"type": profile})
- name: inputLocalHostProfiles
expression: |
variables.params.allowedProfiles.exists(profile, profile == "Localhost") ? variables.params.allowedLocalhostFiles.map(file, {"type": "Localhost", "localHostProfile": string(file)}) : []
- name: inputAllowedProfiles
expression: |
variables.inputNonLocalHostProfiles + variables.inputLocalHostProfiles
- name: hasPodSeccomp
expression: |
has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seccompProfile)
- name: podLocalHostProfile
expression: |
variables.hasPodSeccomp && has(variables.anyObject.spec.securityContext.seccompProfile.localhostProfile) ? variables.anyObject.spec.securityContext.seccompProfile.localhostProfile : ""
- name: podSecurityContextProfileType
expression: |
has(variables.hasPodSeccomp) && has(variables.anyObject.spec.securityContext.seccompProfile.type) ? variables.anyObject.spec.securityContext.seccompProfile.type
: ""
- name: podSecurityContextProfiles
expression: |
variables.unverifiedContainers.filter(container,
!(has(container.securityContext) && has(container.securityContext.seccompProfile)) &&
variables.hasPodSeccomp
).map(container, {
"container" : container.name,
"profile" : dyn(variables.podSecurityContextProfileType),
"file" : variables.podLocalHostProfile,
"location" : dyn("pod securityContext"),
})
- name: containerSecurityContextProfiles
expression: |
variables.unverifiedContainers.filter(container,
has(container.securityContext) && has(container.securityContext.seccompProfile)
).map(container, {
"container" : container.name,
"profile" : dyn(container.securityContext.seccompProfile.type),
"file" : has(container.securityContext.seccompProfile.localhostProfile) ? container.securityContext.seccompProfile.localhostProfile : dyn(""),
"location" : dyn("container securityContext"),
})
- name: containerProfilesMissing
expression: |
variables.unverifiedContainers.filter(container,
!(has(container.securityContext) && has(container.securityContext.seccompProfile)) &&
!variables.hasPodSeccomp
).map(container, {
"container" : container.name,
"profile" : dyn("not configured"),
"file" : dyn(""),
"location" : dyn("no explicit profile found"),
})
- name: allContainerProfiles
expression: |
variables.podSecurityContextProfiles + variables.containerSecurityContextProfiles + variables.containerProfilesMissing
- name: badContainerProfilesWithoutFiles
expression: |
variables.allContainerProfiles.filter(container,
container.profile != "Localhost" &&
!variables.inputAllowedProfiles.exists(profile, profile.type == container.profile)
).map(badProfile, "Seccomp profile '" + badProfile.profile + "' is not allowed for container '" + badProfile.container + "'. Found at: " + badProfile.location + ". Allowed profiles: " + variables.inputAllowedProfiles.map(profile, "{\"type\": \"" + profile.type + "\"" + (has(profile.localHostProfile) ? ", \"localHostProfile\": \"" + profile.localHostProfile + "\"}" : "}")).join(", "))
- name: badContainerProfilesWithFiles
expression: |
variables.allContainerProfiles.filter(container,
container.profile == "Localhost" &&
!variables.inputAllowedProfiles.exists(profile, profile.type == "Localhost" && (has(profile.localHostProfile) && (profile.localHostProfile == container.file || profile.localHostProfile == "*")))
).map(badProfile, "Seccomp profile '" + badProfile.profile + "' With file '" + badProfile.file + "' is not allowed for container '" + badProfile.container + "'. Found at: " + badProfile.location + ". Allowed profiles: " + variables.inputAllowedProfiles.map(profile, "{\"type\": \"" + profile.type + "\"" + (has(profile.localHostProfile) ? ", \"localHostProfile\": \"" + profile.localHostProfile + "\"}" : "}")).join(", "))
validations:
- expression: 'size(variables.badContainerProfilesWithoutFiles) == 0'
messageExpression: |
variables.badContainerProfilesWithoutFiles.join(", ")
- expression: 'size(variables.badContainerProfilesWithFiles) == 0'
messageExpression: |
variables.badContainerProfilesWithFiles.join(", ")
- engine: Rego
source:
rego: |
Expand Down Expand Up @@ -108,16 +211,16 @@ spec:
# Simple allowed Profiles
allowed_profile(profile, _, allowed) {
profile != "Localhost"
temp = allowed[_]
profile == temp.type
allow_profile = allowed[_]
profile == allow_profile.type
}
# annotation localhost without wildcard
allowed_profile(profile, file, allowed) {
profile == "Localhost"
temp = allowed[_]
temp.type == "Localhost"
file == temp.localHostProfile
allow_profile = allowed[_]
allow_profile.type == "Localhost"
file == allow_profile.localHostProfile
}
# The profiles explicitly in the list
Expand Down
10 changes: 5 additions & 5 deletions src/pod-security-policy/seccompv2/src.rego
Original file line number Diff line number Diff line change
Expand Up @@ -42,16 +42,16 @@ allowed_profile(profile, _, _) {
# Simple allowed Profiles
allowed_profile(profile, _, allowed) {
profile != "Localhost"
temp = allowed[_]
profile == temp.type
allow_profile = allowed[_]
profile == allow_profile.type
}

# annotation localhost without wildcard
allowed_profile(profile, file, allowed) {
profile == "Localhost"
temp = allowed[_]
temp.type == "Localhost"
file == temp.localHostProfile
allow_profile = allowed[_]
allow_profile.type == "Localhost"
file == allow_profile.localHostProfile
}

# The profiles explicitly in the list
Expand Down
10 changes: 5 additions & 5 deletions website/docs/validation/seccompv2.md
Original file line number Diff line number Diff line change
Expand Up @@ -223,16 +223,16 @@ spec:
# Simple allowed Profiles
allowed_profile(profile, _, allowed) {
profile != "Localhost"
temp = allowed[_]
profile == temp.type
allow_profile = allowed[_]
profile == allow_profile.type
}
# annotation localhost without wildcard
allowed_profile(profile, file, allowed) {
profile == "Localhost"
temp = allowed[_]
temp.type == "Localhost"
file == temp.localHostProfile
allow_profile = allowed[_]
allow_profile.type == "Localhost"
file == allow_profile.localHostProfile
}
# The profiles explicitly in the list
Expand Down

0 comments on commit fbd2560

Please sign in to comment.