diff --git a/artifacthub/library/pod-security-policy/seccompv2/1.0.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/seccompv2/1.0.0/artifacthub-pkg.yml index d8bdf417b..c531a86c6 100644 --- a/artifacthub/library/pod-security-policy/seccompv2/1.0.0/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/seccompv2/1.0.0/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspseccompv2 displayName: Seccomp V2 createdAt: "2024-09-05T01:36:31Z" description: Controls the seccomp profile used by containers. Corresponds to the `securityContext.seccompProfile` field. -digest: 7586bb9d19280fe3e019415023e00db4194d8f64698bb54d075f7942310d4c6c +digest: fcc97db4d44833d76224adc365e78fe3d51202670b24009974d2cbc928e104a1 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/seccompv2 keywords: diff --git a/artifacthub/library/pod-security-policy/seccompv2/1.0.0/template.yaml b/artifacthub/library/pod-security-policy/seccompv2/1.0.0/template.yaml index 73ab76d52..f9883892a 100644 --- a/artifacthub/library/pod-security-policy/seccompv2/1.0.0/template.yaml +++ b/artifacthub/library/pod-security-policy/seccompv2/1.0.0/template.yaml @@ -211,16 +211,16 @@ spec: # Simple allowed Profiles allowed_profile(profile, _, allowed) { profile != "Localhost" - temp = allowed[_] - profile == temp.type + allow_profile = allowed[_] + profile == allow_profile.type } # annotation localhost without wildcard allowed_profile(profile, file, allowed) { profile == "Localhost" - temp = allowed[_] - temp.type == "Localhost" - file == temp.localHostProfile + allow_profile = allowed[_] + allow_profile.type == "Localhost" + file == allow_profile.localHostProfile } # The profiles explicitly in the list diff --git a/library/pod-security-policy/seccompv2/template.yaml b/library/pod-security-policy/seccompv2/template.yaml index 52a1c06c2..f9883892a 100644 --- a/library/pod-security-policy/seccompv2/template.yaml +++ b/library/pod-security-policy/seccompv2/template.yaml @@ -61,6 +61,109 @@ spec: targets: - target: admission.k8s.gatekeeper.sh code: + - engine: K8sNativeValidation + source: + variables: + - name: containers + expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []' + - name: initContainers + expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []' + - name: ephemeralContainers + expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []' + - name: allowAllProfiles + expression: | + has(variables.params.allowedProfiles) && variables.params.allowedProfiles.exists(profile, profile == "*") + - name: exemptImagePrefixes + expression: | + !has(variables.params.exemptImages) ? [] : + variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", "")) + - name: exemptImageExplicit + expression: | + !has(variables.params.exemptImages) ? [] : + variables.params.exemptImages.filter(image, !image.endsWith("*")) + - name: exemptImages + expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + container.image in variables.exemptImageExplicit || + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))) + - name: unverifiedContainers + expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + !variables.allowAllProfiles && + !(container.image in variables.exemptImages)) + - name: inputNonLocalHostProfiles + expression: | + variables.params.allowedProfiles.filter(profile, profile != "Localhost").map(profile, {"type": profile}) + - name: inputLocalHostProfiles + expression: | + variables.params.allowedProfiles.exists(profile, profile == "Localhost") ? variables.params.allowedLocalhostFiles.map(file, {"type": "Localhost", "localHostProfile": string(file)}) : [] + - name: inputAllowedProfiles + expression: | + variables.inputNonLocalHostProfiles + variables.inputLocalHostProfiles + - name: hasPodSeccomp + expression: | + has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seccompProfile) + - name: podLocalHostProfile + expression: | + variables.hasPodSeccomp && has(variables.anyObject.spec.securityContext.seccompProfile.localhostProfile) ? variables.anyObject.spec.securityContext.seccompProfile.localhostProfile : "" + - name: podSecurityContextProfileType + expression: | + has(variables.hasPodSeccomp) && has(variables.anyObject.spec.securityContext.seccompProfile.type) ? variables.anyObject.spec.securityContext.seccompProfile.type + : "" + - name: podSecurityContextProfiles + expression: | + variables.unverifiedContainers.filter(container, + !(has(container.securityContext) && has(container.securityContext.seccompProfile)) && + variables.hasPodSeccomp + ).map(container, { + "container" : container.name, + "profile" : dyn(variables.podSecurityContextProfileType), + "file" : variables.podLocalHostProfile, + "location" : dyn("pod securityContext"), + }) + - name: containerSecurityContextProfiles + expression: | + variables.unverifiedContainers.filter(container, + has(container.securityContext) && has(container.securityContext.seccompProfile) + ).map(container, { + "container" : container.name, + "profile" : dyn(container.securityContext.seccompProfile.type), + "file" : has(container.securityContext.seccompProfile.localhostProfile) ? container.securityContext.seccompProfile.localhostProfile : dyn(""), + "location" : dyn("container securityContext"), + }) + - name: containerProfilesMissing + expression: | + variables.unverifiedContainers.filter(container, + !(has(container.securityContext) && has(container.securityContext.seccompProfile)) && + !variables.hasPodSeccomp + ).map(container, { + "container" : container.name, + "profile" : dyn("not configured"), + "file" : dyn(""), + "location" : dyn("no explicit profile found"), + }) + - name: allContainerProfiles + expression: | + variables.podSecurityContextProfiles + variables.containerSecurityContextProfiles + variables.containerProfilesMissing + - name: badContainerProfilesWithoutFiles + expression: | + variables.allContainerProfiles.filter(container, + container.profile != "Localhost" && + !variables.inputAllowedProfiles.exists(profile, profile.type == container.profile) + ).map(badProfile, "Seccomp profile '" + badProfile.profile + "' is not allowed for container '" + badProfile.container + "'. Found at: " + badProfile.location + ". Allowed profiles: " + variables.inputAllowedProfiles.map(profile, "{\"type\": \"" + profile.type + "\"" + (has(profile.localHostProfile) ? ", \"localHostProfile\": \"" + profile.localHostProfile + "\"}" : "}")).join(", ")) + - name: badContainerProfilesWithFiles + expression: | + variables.allContainerProfiles.filter(container, + container.profile == "Localhost" && + !variables.inputAllowedProfiles.exists(profile, profile.type == "Localhost" && (has(profile.localHostProfile) && (profile.localHostProfile == container.file || profile.localHostProfile == "*"))) + ).map(badProfile, "Seccomp profile '" + badProfile.profile + "' With file '" + badProfile.file + "' is not allowed for container '" + badProfile.container + "'. Found at: " + badProfile.location + ". Allowed profiles: " + variables.inputAllowedProfiles.map(profile, "{\"type\": \"" + profile.type + "\"" + (has(profile.localHostProfile) ? ", \"localHostProfile\": \"" + profile.localHostProfile + "\"}" : "}")).join(", ")) + validations: + - expression: 'size(variables.badContainerProfilesWithoutFiles) == 0' + messageExpression: | + variables.badContainerProfilesWithoutFiles.join(", ") + - expression: 'size(variables.badContainerProfilesWithFiles) == 0' + messageExpression: | + variables.badContainerProfilesWithFiles.join(", ") - engine: Rego source: rego: | @@ -108,16 +211,16 @@ spec: # Simple allowed Profiles allowed_profile(profile, _, allowed) { profile != "Localhost" - temp = allowed[_] - profile == temp.type + allow_profile = allowed[_] + profile == allow_profile.type } # annotation localhost without wildcard allowed_profile(profile, file, allowed) { profile == "Localhost" - temp = allowed[_] - temp.type == "Localhost" - file == temp.localHostProfile + allow_profile = allowed[_] + allow_profile.type == "Localhost" + file == allow_profile.localHostProfile } # The profiles explicitly in the list diff --git a/src/pod-security-policy/seccompv2/src.rego b/src/pod-security-policy/seccompv2/src.rego index bb10f4744..eee2ee037 100644 --- a/src/pod-security-policy/seccompv2/src.rego +++ b/src/pod-security-policy/seccompv2/src.rego @@ -42,16 +42,16 @@ allowed_profile(profile, _, _) { # Simple allowed Profiles allowed_profile(profile, _, allowed) { profile != "Localhost" - temp = allowed[_] - profile == temp.type + allow_profile = allowed[_] + profile == allow_profile.type } # annotation localhost without wildcard allowed_profile(profile, file, allowed) { profile == "Localhost" - temp = allowed[_] - temp.type == "Localhost" - file == temp.localHostProfile + allow_profile = allowed[_] + allow_profile.type == "Localhost" + file == allow_profile.localHostProfile } # The profiles explicitly in the list diff --git a/website/docs/validation/seccompv2.md b/website/docs/validation/seccompv2.md index a148d9c34..488780cb0 100644 --- a/website/docs/validation/seccompv2.md +++ b/website/docs/validation/seccompv2.md @@ -223,16 +223,16 @@ spec: # Simple allowed Profiles allowed_profile(profile, _, allowed) { profile != "Localhost" - temp = allowed[_] - profile == temp.type + allow_profile = allowed[_] + profile == allow_profile.type } # annotation localhost without wildcard allowed_profile(profile, file, allowed) { profile == "Localhost" - temp = allowed[_] - temp.type == "Localhost" - file == temp.localHostProfile + allow_profile = allowed[_] + allow_profile.type == "Localhost" + file == allow_profile.localHostProfile } # The profiles explicitly in the list