From 7db1c86a58d691d7238c0caee89bea1701ae66d1 Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Tue, 23 May 2023 17:41:29 +0900 Subject: [PATCH 01/11] Add Rego library for excluding UPDATE and PATCH operations Signed-off-by: Hidehito Yabuuchi --- .../lib_exclude_update_patch.rego | 7 +++++++ .../lib_exclude_update_patch_test.rego | 17 +++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 src/rego/lib_exclude_update_patch/lib_exclude_update_patch.rego create mode 100644 src/rego/lib_exclude_update_patch/lib_exclude_update_patch_test.rego diff --git a/src/rego/lib_exclude_update_patch/lib_exclude_update_patch.rego b/src/rego/lib_exclude_update_patch/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/rego/lib_exclude_update_patch/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/rego/lib_exclude_update_patch/lib_exclude_update_patch_test.rego b/src/rego/lib_exclude_update_patch/lib_exclude_update_patch_test.rego new file mode 100644 index 000000000..f442fb5e8 --- /dev/null +++ b/src/rego/lib_exclude_update_patch/lib_exclude_update_patch_test.rego @@ -0,0 +1,17 @@ +package lib.exclude_update_patch + +test_update { + is_update_or_patch({"operation": "UPDATE"}) +} + +test_patch { + is_update_or_patch({"operation": "PATCH"}) +} + +test_create { + not is_update_or_patch({"operation": "CREATE"}) +} + +test_empty { + not is_update_or_patch({"operation": ""}) +} From 35708e352ff2d8d8493db8022b16a0078c551eb4 Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Tue, 23 May 2023 17:43:35 +0900 Subject: [PATCH 02/11] Exclude UPDATE and PATCH operations in constraints for immutable fields Signed-off-by: Hidehito Yabuuchi --- .../automount-serviceaccount-token/constraint.tmpl | 5 ++++- .../lib_exclude_update_patch.rego | 7 +++++++ src/general/automount-serviceaccount-token/src.rego | 5 +++++ src/general/ephemeralstoragelimit/constraint.tmpl | 4 +++- .../ephemeralstoragelimit/lib_exclude_update_patch.rego | 7 +++++++ src/general/ephemeralstoragelimit/src.rego | 5 +++++ src/general/requiredprobes/constraint.tmpl | 5 ++++- src/general/requiredprobes/lib_exclude_update_patch.rego | 7 +++++++ src/general/requiredprobes/src.rego | 5 +++++ .../allow-privilege-escalation/constraint.tmpl | 4 +++- .../lib_exclude_update_patch.rego | 7 +++++++ .../allow-privilege-escalation/src.rego | 4 ++++ src/pod-security-policy/capabilities/constraint.tmpl | 4 +++- .../capabilities/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/capabilities/src.rego | 9 +++++++++ .../flexvolume-drivers/constraint.tmpl | 5 ++++- .../flexvolume-drivers/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/flexvolume-drivers/src.rego | 5 +++++ .../forbidden-sysctls/constraint.tmpl | 5 ++++- .../forbidden-sysctls/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/forbidden-sysctls/src.rego | 6 ++++++ src/pod-security-policy/fsgroup/constraint.tmpl | 5 ++++- .../fsgroup/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/fsgroup/src.rego | 5 +++++ src/pod-security-policy/host-filesystem/constraint.tmpl | 5 ++++- .../host-filesystem/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/host-filesystem/src.rego | 5 +++++ src/pod-security-policy/host-namespaces/constraint.tmpl | 5 ++++- .../host-namespaces/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/host-namespaces/src.rego | 5 +++++ .../host-network-ports/constraint.tmpl | 4 +++- .../host-network-ports/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/host-network-ports/src.rego | 4 ++++ .../privileged-containers/constraint.tmpl | 4 +++- .../privileged-containers/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/privileged-containers/src.rego | 4 ++++ src/pod-security-policy/proc-mount/constraint.tmpl | 4 +++- .../proc-mount/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/proc-mount/src.rego | 4 ++++ .../read-only-root-filesystem/constraint.tmpl | 4 +++- .../lib_exclude_update_patch.rego | 7 +++++++ .../read-only-root-filesystem/src.rego | 4 ++++ src/pod-security-policy/selinux/constraint.tmpl | 4 +++- .../selinux/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/selinux/src.rego | 7 +++++++ src/pod-security-policy/users/constraint.tmpl | 4 +++- .../users/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/users/src.rego | 4 ++++ src/pod-security-policy/volumes/constraint.tmpl | 5 ++++- .../volumes/lib_exclude_update_patch.rego | 7 +++++++ src/pod-security-policy/volumes/src.rego | 5 +++++ 51 files changed, 264 insertions(+), 17 deletions(-) create mode 100644 src/general/automount-serviceaccount-token/lib_exclude_update_patch.rego create mode 100644 src/general/ephemeralstoragelimit/lib_exclude_update_patch.rego create mode 100644 src/general/requiredprobes/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/allow-privilege-escalation/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/capabilities/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/flexvolume-drivers/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/forbidden-sysctls/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/fsgroup/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/host-filesystem/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/host-namespaces/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/host-network-ports/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/privileged-containers/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/proc-mount/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/read-only-root-filesystem/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/selinux/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/users/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/volumes/lib_exclude_update_patch.rego diff --git a/src/general/automount-serviceaccount-token/constraint.tmpl b/src/general/automount-serviceaccount-token/constraint.tmpl index b5fec0dd3..92f40feed 100644 --- a/src/general/automount-serviceaccount-token/constraint.tmpl +++ b/src/general/automount-serviceaccount-token/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspautomountserviceaccounttokenpod annotations: metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any Pod to enable automountServiceAccountToken. spec: @@ -21,3 +21,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/general/automount-serviceaccount-token/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/general/automount-serviceaccount-token/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/general/automount-serviceaccount-token/lib_exclude_update_patch.rego b/src/general/automount-serviceaccount-token/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/general/automount-serviceaccount-token/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/general/automount-serviceaccount-token/src.rego b/src/general/automount-serviceaccount-token/src.rego index 88fd1aec9..d466dcf22 100644 --- a/src/general/automount-serviceaccount-token/src.rego +++ b/src/general/automount-serviceaccount-token/src.rego @@ -1,6 +1,11 @@ package k8sautomountserviceaccounttoken +import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg}] { + # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. + not is_update_or_patch(input.review) + obj := input.review.object mountServiceAccountToken(obj.spec) msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name]) diff --git a/src/general/ephemeralstoragelimit/constraint.tmpl b/src/general/ephemeralstoragelimit/constraint.tmpl index a97cbfef8..5c4f833e1 100644 --- a/src/general/ephemeralstoragelimit/constraint.tmpl +++ b/src/general/ephemeralstoragelimit/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8scontainerephemeralstoragelimit annotations: metadata.gatekeeper.sh/title: "Container ephemeral storage limit" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. @@ -39,4 +39,6 @@ spec: {{ file.Read "src/general/ephemeralstoragelimit/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/general/ephemeralstoragelimit/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/general/ephemeralstoragelimit/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/general/ephemeralstoragelimit/lib_exclude_update_patch.rego b/src/general/ephemeralstoragelimit/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/general/ephemeralstoragelimit/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/general/ephemeralstoragelimit/src.rego b/src/general/ephemeralstoragelimit/src.rego index e42f048e5..80c17cc1e 100644 --- a/src/general/ephemeralstoragelimit/src.rego +++ b/src/general/ephemeralstoragelimit/src.rego @@ -1,5 +1,6 @@ package k8scontainerephemeralstoragelimit +import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt missing(obj, field) = true { @@ -112,10 +113,14 @@ canonify_storage(orig) = new { } violation[{"msg": msg}] { + # spec.containers.resources.limits["ephemeral-storage"] field is immutable. + not is_update_or_patch(input.review) + general_violation[{"msg": msg, "field": "containers"}] } violation[{"msg": msg}] { + not is_update_or_patch(input.review) general_violation[{"msg": msg, "field": "initContainers"}] } diff --git a/src/general/requiredprobes/constraint.tmpl b/src/general/requiredprobes/constraint.tmpl index 6b81857dc..34dc8389f 100644 --- a/src/general/requiredprobes/constraint.tmpl +++ b/src/general/requiredprobes/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8srequiredprobes annotations: metadata.gatekeeper.sh/title: "Required Probes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: Requires Pods to have readiness and/or liveness probes. spec: crd: @@ -29,3 +29,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/general/requiredprobes/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/general/requiredprobes/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/general/requiredprobes/lib_exclude_update_patch.rego b/src/general/requiredprobes/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/general/requiredprobes/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/general/requiredprobes/src.rego b/src/general/requiredprobes/src.rego index 532b036d7..4158942c1 100644 --- a/src/general/requiredprobes/src.rego +++ b/src/general/requiredprobes/src.rego @@ -1,10 +1,15 @@ package k8srequiredprobes +import data.lib.exclude_update_patch.is_update_or_patch + probe_type_set = probe_types { probe_types := {type | type := input.parameters.probeTypes[_]} } violation[{"msg": msg}] { + # Probe fields are immutable. + not is_update_or_patch(input.review) + container := input.review.object.spec.containers[_] probe := input.parameters.probes[_] probe_is_missing(container, probe) diff --git a/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl b/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl index 3c6abdfe3..7b9df6b2c 100644 --- a/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl +++ b/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspallowprivilegeescalationcontainer annotations: metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more @@ -40,4 +40,6 @@ spec: {{ file.Read "src/pod-security-policy/allow-privilege-escalation/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/allow-privilege-escalation/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update_patch.rego b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/allow-privilege-escalation/src.rego b/src/pod-security-policy/allow-privilege-escalation/src.rego index 7c16226c1..386afc1bf 100644 --- a/src/pod-security-policy/allow-privilege-escalation/src.rego +++ b/src/pod-security-policy/allow-privilege-escalation/src.rego @@ -1,8 +1,12 @@ package k8spspallowprivilegeescalationcontainer +import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) input_allow_privilege_escalation(c) diff --git a/src/pod-security-policy/capabilities/constraint.tmpl b/src/pod-security-policy/capabilities/constraint.tmpl index a7220f46c..0bfc234ac 100644 --- a/src/pod-security-policy/capabilities/constraint.tmpl +++ b/src/pod-security-policy/capabilities/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspcapabilities annotations: metadata.gatekeeper.sh/title: "Capabilities" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a @@ -51,4 +51,6 @@ spec: {{ file.Read "src/pod-security-policy/capabilities/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/capabilities/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/capabilities/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/capabilities/lib_exclude_update_patch.rego b/src/pod-security-policy/capabilities/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/capabilities/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/capabilities/src.rego b/src/pod-security-policy/capabilities/src.rego index 95e4fb529..13e861009 100644 --- a/src/pod-security-policy/capabilities/src.rego +++ b/src/pod-security-policy/capabilities/src.rego @@ -1,8 +1,12 @@ package capabilities +import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # spec.containers.securityContext.capabilities field is immutable. + not is_update_or_patch(input.review) + container := input.review.object.spec.containers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -10,6 +14,7 @@ violation[{"msg": msg}] { } violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -19,6 +24,7 @@ violation[{"msg": msg}] { violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -26,6 +32,7 @@ violation[{"msg": msg}] { } violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -35,6 +42,7 @@ violation[{"msg": msg}] { violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -42,6 +50,7 @@ violation[{"msg": msg}] { } violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) missing_drop_capabilities(container) diff --git a/src/pod-security-policy/flexvolume-drivers/constraint.tmpl b/src/pod-security-policy/flexvolume-drivers/constraint.tmpl index 609f4c3aa..19654546f 100644 --- a/src/pod-security-policy/flexvolume-drivers/constraint.tmpl +++ b/src/pod-security-policy/flexvolume-drivers/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspflexvolumes annotations: metadata.gatekeeper.sh/title: "FlexVolumes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, @@ -38,3 +38,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/flexvolume-drivers/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/flexvolume-drivers/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/flexvolume-drivers/lib_exclude_update_patch.rego b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/flexvolume-drivers/src.rego b/src/pod-security-policy/flexvolume-drivers/src.rego index b729e221b..dd5216777 100644 --- a/src/pod-security-policy/flexvolume-drivers/src.rego +++ b/src/pod-security-policy/flexvolume-drivers/src.rego @@ -1,6 +1,11 @@ package k8spspflexvolumes +import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + volume := input_flexvolumes[_] not input_flexvolumes_allowed(volume) msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes]) diff --git a/src/pod-security-policy/forbidden-sysctls/constraint.tmpl b/src/pod-security-policy/forbidden-sysctls/constraint.tmpl index 97c294a70..a021029be 100644 --- a/src/pod-security-policy/forbidden-sysctls/constraint.tmpl +++ b/src/pod-security-policy/forbidden-sysctls/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspforbiddensysctls annotations: metadata.gatekeeper.sh/title: "Forbidden Sysctls" - metadata.gatekeeper.sh/version: 1.1.1 + metadata.gatekeeper.sh/version: 1.1.2 description: >- Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. @@ -41,3 +41,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/forbidden-sysctls/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/forbidden-sysctls/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/forbidden-sysctls/lib_exclude_update_patch.rego b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/forbidden-sysctls/src.rego b/src/pod-security-policy/forbidden-sysctls/src.rego index 5675fc95c..6e703fdaf 100644 --- a/src/pod-security-policy/forbidden-sysctls/src.rego +++ b/src/pod-security-policy/forbidden-sysctls/src.rego @@ -1,7 +1,12 @@ package k8spspforbiddensysctls +import data.lib.exclude_update_patch.is_update_or_patch + # Block if forbidden violation[{"msg": msg, "details": {}}] { + # spec.securityContext.sysctls field is immutable. + not is_update_or_patch(input.review) + sysctl := input.review.object.spec.securityContext.sysctls[_].name forbidden_sysctl(sysctl) msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) @@ -9,6 +14,7 @@ violation[{"msg": msg, "details": {}}] { # Block if not explicitly allowed violation[{"msg": msg, "details": {}}] { + not is_update_or_patch(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) diff --git a/src/pod-security-policy/fsgroup/constraint.tmpl b/src/pod-security-policy/fsgroup/constraint.tmpl index 259927c9f..94752fd48 100644 --- a/src/pod-security-policy/fsgroup/constraint.tmpl +++ b/src/pod-security-policy/fsgroup/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspfsgroup annotations: metadata.gatekeeper.sh/title: "FS Group" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see @@ -46,3 +46,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/fsgroup/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/fsgroup/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/fsgroup/lib_exclude_update_patch.rego b/src/pod-security-policy/fsgroup/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/fsgroup/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/fsgroup/src.rego b/src/pod-security-policy/fsgroup/src.rego index 021e7c561..c2dd330ee 100644 --- a/src/pod-security-policy/fsgroup/src.rego +++ b/src/pod-security-policy/fsgroup/src.rego @@ -1,6 +1,11 @@ package k8spspfsgroup +import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.fsGroup field is immutable. + not is_update_or_patch(input.review) + spec := input.review.object.spec not input_fsGroup_allowed(spec) msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) diff --git a/src/pod-security-policy/host-filesystem/constraint.tmpl b/src/pod-security-policy/host-filesystem/constraint.tmpl index 24dd21682..dd844b7d7 100644 --- a/src/pod-security-policy/host-filesystem/constraint.tmpl +++ b/src/pod-security-policy/host-filesystem/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spsphostfilesystem annotations: metadata.gatekeeper.sh/title: "Host Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, @@ -41,3 +41,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/host-filesystem/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/host-filesystem/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/host-filesystem/lib_exclude_update_patch.rego b/src/pod-security-policy/host-filesystem/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/host-filesystem/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/host-filesystem/src.rego b/src/pod-security-policy/host-filesystem/src.rego index 3e5ab3b8d..bf58506f3 100644 --- a/src/pod-security-policy/host-filesystem/src.rego +++ b/src/pod-security-policy/host-filesystem/src.rego @@ -1,6 +1,11 @@ package k8spsphostfilesystem +import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + volume := input_hostpath_volumes[_] allowedPaths := get_allowed_paths(input) input_hostpath_violation(allowedPaths, volume) diff --git a/src/pod-security-policy/host-namespaces/constraint.tmpl b/src/pod-security-policy/host-namespaces/constraint.tmpl index 330e67ee9..de306e875 100644 --- a/src/pod-security-policy/host-namespaces/constraint.tmpl +++ b/src/pod-security-policy/host-namespaces/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spsphostnamespace annotations: metadata.gatekeeper.sh/title: "Host Namespace" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. @@ -28,3 +28,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/host-namespaces/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/host-namespaces/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/host-namespaces/lib_exclude_update_patch.rego b/src/pod-security-policy/host-namespaces/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/host-namespaces/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/host-namespaces/src.rego b/src/pod-security-policy/host-namespaces/src.rego index 3f6012fe3..431bbb2dc 100644 --- a/src/pod-security-policy/host-namespaces/src.rego +++ b/src/pod-security-policy/host-namespaces/src.rego @@ -1,6 +1,11 @@ package k8spsphostnamespace +import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update_or_patch(input.review) + input_share_hostnamespace(input.review.object) msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) } diff --git a/src/pod-security-policy/host-network-ports/constraint.tmpl b/src/pod-security-policy/host-network-ports/constraint.tmpl index 9d32025e8..9af5b1da3 100644 --- a/src/pod-security-policy/host-network-ports/constraint.tmpl +++ b/src/pod-security-policy/host-network-ports/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spsphostnetworkingports annotations: metadata.gatekeeper.sh/title: "Host Networking Ports" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and @@ -50,4 +50,6 @@ spec: {{ file.Read "src/pod-security-policy/host-network-ports/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/host-network-ports/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/host-network-ports/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/host-network-ports/lib_exclude_update_patch.rego b/src/pod-security-policy/host-network-ports/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/host-network-ports/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/host-network-ports/src.rego b/src/pod-security-policy/host-network-ports/src.rego index bc5b5b0e7..08c890da6 100644 --- a/src/pod-security-policy/host-network-ports/src.rego +++ b/src/pod-security-policy/host-network-ports/src.rego @@ -1,8 +1,12 @@ package k8spsphostnetworkingports +import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.hostNetwork field is immutable. + not is_update_or_patch(input.review) + input_share_hostnetwork(input.review.object) msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) } diff --git a/src/pod-security-policy/privileged-containers/constraint.tmpl b/src/pod-security-policy/privileged-containers/constraint.tmpl index 4090b8541..a1e7766ea 100644 --- a/src/pod-security-policy/privileged-containers/constraint.tmpl +++ b/src/pod-security-policy/privileged-containers/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspprivilegedcontainer annotations: metadata.gatekeeper.sh/title: "Privileged Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more @@ -40,4 +40,6 @@ spec: {{ file.Read "src/pod-security-policy/privileged-containers/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/privileged-containers/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/privileged-containers/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/privileged-containers/lib_exclude_update_patch.rego b/src/pod-security-policy/privileged-containers/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/privileged-containers/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/privileged-containers/src.rego b/src/pod-security-policy/privileged-containers/src.rego index facc61eff..db984a2ce 100644 --- a/src/pod-security-policy/privileged-containers/src.rego +++ b/src/pod-security-policy/privileged-containers/src.rego @@ -1,8 +1,12 @@ package k8spspprivileged +import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.privileged field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) c.securityContext.privileged diff --git a/src/pod-security-policy/proc-mount/constraint.tmpl b/src/pod-security-policy/proc-mount/constraint.tmpl index 195313b1c..18d658ab0 100644 --- a/src/pod-security-policy/proc-mount/constraint.tmpl +++ b/src/pod-security-policy/proc-mount/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspprocmount annotations: metadata.gatekeeper.sh/title: "Proc Mount" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.0.2 description: >- Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more @@ -51,4 +51,6 @@ spec: {{ file.Read "src/pod-security-policy/proc-mount/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/proc-mount/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/proc-mount/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/proc-mount/lib_exclude_update_patch.rego b/src/pod-security-policy/proc-mount/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/proc-mount/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/proc-mount/src.rego b/src/pod-security-policy/proc-mount/src.rego index f6520441d..8f1c02d28 100644 --- a/src/pod-security-policy/proc-mount/src.rego +++ b/src/pod-security-policy/proc-mount/src.rego @@ -1,8 +1,12 @@ package k8spspprocmount +import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.procMount field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) allowedProcMount := get_allowed_proc_mount(input) diff --git a/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl b/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl index 3d1a4f7c4..8f2fc0c9e 100644 --- a/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl +++ b/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspreadonlyrootfilesystem annotations: metadata.gatekeeper.sh/title: "Read Only Root Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a @@ -41,4 +41,6 @@ spec: {{ file.Read "src/pod-security-policy/read-only-root-filesystem/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/read-only-root-filesystem/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/read-only-root-filesystem/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update_patch.rego b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/read-only-root-filesystem/src.rego b/src/pod-security-policy/read-only-root-filesystem/src.rego index 084051e6b..c1c339fd9 100644 --- a/src/pod-security-policy/read-only-root-filesystem/src.rego +++ b/src/pod-security-policy/read-only-root-filesystem/src.rego @@ -1,8 +1,12 @@ package k8spspreadonlyrootfilesystem +import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.readOnlyRootFilesystem field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) input_read_only_root_fs(c) diff --git a/src/pod-security-policy/selinux/constraint.tmpl b/src/pod-security-policy/selinux/constraint.tmpl index 4817a5c6e..5270ae608 100644 --- a/src/pod-security-policy/selinux/constraint.tmpl +++ b/src/pod-security-policy/selinux/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspselinuxv2 annotations: metadata.gatekeeper.sh/title: "SELinux V2" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. @@ -60,4 +60,6 @@ spec: {{ file.Read "src/pod-security-policy/selinux/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/selinux/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/selinux/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/selinux/lib_exclude_update_patch.rego b/src/pod-security-policy/selinux/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/selinux/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/selinux/src.rego b/src/pod-security-policy/selinux/src.rego index b9e98ede6..9f7bb49f0 100644 --- a/src/pod-security-policy/selinux/src.rego +++ b/src/pod-security-policy/selinux/src.rego @@ -1,15 +1,22 @@ package k8spspselinux +import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt # Disallow top level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.securityContext.seLinuxOptions field is immutable. + not is_update_or_patch(input.review) + has_field(input.review.object.spec.securityContext, "seLinuxOptions") not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions]) } # Disallow container level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.seLinuxOptions field is immutable. + not is_update_or_patch(input.review) + c := input_security_context[_] not is_exempt(c) has_field(c.securityContext, "seLinuxOptions") diff --git a/src/pod-security-policy/users/constraint.tmpl b/src/pod-security-policy/users/constraint.tmpl index 11a7728fe..6b888ae5d 100644 --- a/src/pod-security-policy/users/constraint.tmpl +++ b/src/pod-security-policy/users/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspallowedusers annotations: metadata.gatekeeper.sh/title: "Allowed Users" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and @@ -136,4 +136,6 @@ spec: {{ file.Read "src/pod-security-policy/users/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | +{{ file.Read "src/pod-security-policy/users/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} + - | {{ file.Read "src/pod-security-policy/users/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/users/lib_exclude_update_patch.rego b/src/pod-security-policy/users/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/users/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/users/src.rego b/src/pod-security-policy/users/src.rego index 6f0b4f4d0..0c124aea6 100644 --- a/src/pod-security-policy/users/src.rego +++ b/src/pod-security-policy/users/src.rego @@ -1,8 +1,12 @@ package k8spspallowedusers +import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. + not is_update_or_patch(input.review) + fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] field := fields[_] container := input_containers[_] diff --git a/src/pod-security-policy/volumes/constraint.tmpl b/src/pod-security-policy/volumes/constraint.tmpl index 179800603..eabb2ccac 100644 --- a/src/pod-security-policy/volumes/constraint.tmpl +++ b/src/pod-security-policy/volumes/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspvolumetypes annotations: metadata.gatekeeper.sh/title: "Volume Types" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more @@ -34,3 +34,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "src/pod-security-policy/volumes/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/pod-security-policy/volumes/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/volumes/lib_exclude_update_patch.rego b/src/pod-security-policy/volumes/lib_exclude_update_patch.rego new file mode 100644 index 000000000..fb666035e --- /dev/null +++ b/src/pod-security-policy/volumes/lib_exclude_update_patch.rego @@ -0,0 +1,7 @@ +package lib.exclude_update_patch + +import future.keywords.in + +is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] +} diff --git a/src/pod-security-policy/volumes/src.rego b/src/pod-security-policy/volumes/src.rego index 00f9d8814..e3f5fb517 100644 --- a/src/pod-security-policy/volumes/src.rego +++ b/src/pod-security-policy/volumes/src.rego @@ -1,6 +1,11 @@ package k8spspvolumetypes +import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} field := volume_fields[_] not input_volume_type_allowed(field) From 303b23765fedc0770fa6e719caf592d7f8f8bfd2 Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Tue, 23 May 2023 18:47:52 +0900 Subject: [PATCH 03/11] make generate-all Signed-off-by: Hidehito Yabuuchi --- .../1.0.1/artifacthub-pkg.yml | 22 ++ .../1.0.1/kustomization.yaml | 2 + .../constraint.yaml | 10 + .../example_allowed.yaml | 11 + .../example_disallowed.yaml | 11 + .../1.0.1/suite.yaml | 17 + .../1.0.1/template.yaml | 68 ++++ .../1.0.1/artifacthub-pkg.yml | 25 ++ .../1.0.1/kustomization.yaml | 2 + .../constraint.yaml | 11 + ...lowed_ephemeral-storage-initContainer.yaml | 33 ++ .../example_allowed_ephemeral-storage.yaml | 20 ++ ...meral_storage_limit_1Pi-initContainer.yaml | 31 ++ ...isallowed_ephemeral_storage_limit_1Pi.yaml | 20 ++ ...d_ephemeral_storage_limit_unspecified.yaml | 18 ++ .../ephemeralstoragelimit/1.0.1/suite.yaml | 29 ++ .../ephemeralstoragelimit/1.0.1/template.yaml | 234 ++++++++++++++ .../requiredprobes/1.0.1/artifacthub-pkg.yml | 22 ++ .../requiredprobes/1.0.1/kustomization.yaml | 2 + .../samples/must-have-probes/constraint.yaml | 12 + .../must-have-probes/example_allowed.yaml | 23 ++ .../must-have-probes/example_disallowed.yaml | 30 ++ .../must-have-probes/example_disallowed2.yaml | 41 +++ .../general/requiredprobes/1.0.1/suite.yaml | 21 ++ .../requiredprobes/1.0.1/template.yaml | 74 +++++ .../1.0.1/artifacthub-pkg.yml | 22 ++ .../1.0.1/kustomization.yaml | 2 + .../constraint.yaml | 9 + .../disallowed_ephemeral.yaml | 12 + .../example_allowed.yaml | 12 + .../example_disallowed.yaml | 12 + .../1.0.1/suite.yaml | 21 ++ .../1.0.1/template.yaml | 102 ++++++ .../capabilities/1.0.1/artifacthub-pkg.yml | 22 ++ .../capabilities/1.0.1/kustomization.yaml | 2 + .../samples/capabilities-demo/constraint.yaml | 14 + .../disallowed_ephemeral.yaml | 21 ++ .../capabilities-demo/example_allowed.yaml | 22 ++ .../capabilities-demo/example_disallowed.yaml | 21 ++ .../capabilities/1.0.1/suite.yaml | 21 ++ .../capabilities/1.0.1/template.yaml | 165 ++++++++++ .../1.0.1/artifacthub-pkg.yml | 22 ++ .../1.0.1/kustomization.yaml | 2 + .../psp-flexvolume-drivers/constraint.yaml | 13 + .../example_allowed.yaml | 18 ++ .../example_disallowed.yaml | 18 ++ .../flexvolume-drivers/1.0.1/suite.yaml | 17 + .../flexvolume-drivers/1.0.1/template.yaml | 74 +++++ .../forbidden-sysctls/1.1.2/README.md | 36 +++ .../1.1.2/artifacthub-pkg.yml | 22 ++ .../1.1.2/kustomization.yaml | 2 + .../psp-forbidden-sysctls/constraint.yaml | 15 + .../example_allowed.yaml | 14 + .../example_disallowed.yaml | 16 + .../forbidden-sysctls/1.1.2/suite.yaml | 17 + .../forbidden-sysctls/1.1.2/template.yaml | 102 ++++++ .../fsgroup/1.0.1/README.md | 7 + .../fsgroup/1.0.1/artifacthub-pkg.yml | 22 ++ .../fsgroup/1.0.1/kustomization.yaml | 2 + .../1.0.1/samples/psp-fsgroup/constraint.yaml | 14 + .../samples/psp-fsgroup/example_allowed.yaml | 17 + .../psp-fsgroup/example_disallowed.yaml | 17 + .../fsgroup/1.0.1/suite.yaml | 17 + .../fsgroup/1.0.1/template.yaml | 107 +++++++ .../host-filesystem/1.0.1/artifacthub-pkg.yml | 22 ++ .../host-filesystem/1.0.1/kustomization.yaml | 2 + .../psp-host-filesystem/constraint.yaml | 13 + .../disallowed_ephemeral.yaml | 18 ++ .../psp-host-filesystem/example_allowed.yaml | 18 ++ .../example_disallowed.yaml | 18 ++ .../host-filesystem/1.0.1/suite.yaml | 21 ++ .../host-filesystem/1.0.1/template.yaml | 150 +++++++++ .../host-namespaces/1.0.1/artifacthub-pkg.yml | 22 ++ .../host-namespaces/1.0.1/kustomization.yaml | 2 + .../psp-host-namespace/constraint.yaml | 9 + .../psp-host-namespace/example_allowed.yaml | 12 + .../example_disallowed.yaml | 12 + .../host-namespaces/1.0.1/suite.yaml | 17 + .../host-namespaces/1.0.1/template.yaml | 56 ++++ .../1.0.1/artifacthub-pkg.yml | 22 ++ .../1.0.1/kustomization.yaml | 2 + .../psp-host-network-ports/constraint.yaml | 13 + .../disallowed_ephemeral.yaml | 14 + .../example_allowed.yaml | 14 + .../example_disallowed.yaml | 14 + .../host-network-ports/1.0.1/suite.yaml | 21 ++ .../host-network-ports/1.0.1/template.yaml | 120 +++++++ .../1.0.1/artifacthub-pkg.yml | 22 ++ .../1.0.1/kustomization.yaml | 2 + .../psp-privileged-container/constraint.yaml | 10 + .../disallowed_ephemeral.yaml | 12 + .../example_allowed.yaml | 12 + .../example_disallowed.yaml | 12 + .../privileged-containers/1.0.1/suite.yaml | 21 ++ .../privileged-containers/1.0.1/template.yaml | 94 ++++++ .../proc-mount/1.0.2/README.md | 12 + .../proc-mount/1.0.2/artifacthub-pkg.yml | 22 ++ .../proc-mount/1.0.2/kustomization.yaml | 2 + .../samples/psp-proc-mount/constraint.yaml | 11 + .../psp-proc-mount/disallowed_ephemeral.yaml | 12 + .../psp-proc-mount/example_allowed.yaml | 12 + .../psp-proc-mount/example_disallowed.yaml | 12 + .../proc-mount/1.0.2/suite.yaml | 21 ++ .../proc-mount/1.0.2/template.yaml | 140 +++++++++ .../1.0.1/artifacthub-pkg.yml | 22 ++ .../1.0.1/kustomization.yaml | 2 + .../constraint.yaml | 9 + .../disallowed_ephemeral.yaml | 12 + .../example_allowed.yaml | 12 + .../example_disallowed.yaml | 12 + .../1.0.1/suite.yaml | 21 ++ .../1.0.1/template.yaml | 105 +++++++ .../selinux/1.0.1/artifacthub-pkg.yml | 22 ++ .../selinux/1.0.1/kustomization.yaml | 2 + .../samples/psp-selinux-v2/constraint.yaml | 15 + .../psp-selinux-v2/disallowed_ephemeral.yaml | 16 + .../psp-selinux-v2/example_allowed.yaml | 16 + .../psp-selinux-v2/example_disallowed.yaml | 16 + .../selinux/1.0.1/suite.yaml | 21 ++ .../selinux/1.0.1/template.yaml | 146 +++++++++ .../users/1.0.1/artifacthub-pkg.yml | 22 ++ .../users/1.0.1/kustomization.yaml | 2 + .../constraint.yaml | 30 ++ .../disallowed_ephemeral.yaml | 17 + .../example_allowed.yaml | 17 + .../example_disallowed.yaml | 17 + .../users/1.0.1/suite.yaml | 21 ++ .../users/1.0.1/template.yaml | 294 ++++++++++++++++++ .../volumes/1.0.1/artifacthub-pkg.yml | 22 ++ .../volumes/1.0.1/kustomization.yaml | 2 + .../samples/psp-volume-types/constraint.yaml | 20 ++ .../psp-volume-types/example_allowed.yaml | 23 ++ .../psp-volume-types/example_disallowed.yaml | 24 ++ .../volumes/1.0.1/suite.yaml | 17 + .../volumes/1.0.1/template.yaml | 66 ++++ .../template.yaml | 16 +- .../ephemeralstoragelimit/template.yaml | 15 +- library/general/requiredprobes/template.yaml | 16 +- .../allow-privilege-escalation/template.yaml | 14 +- .../capabilities/template.yaml | 19 +- .../flexvolume-drivers/template.yaml | 16 +- .../forbidden-sysctls/template.yaml | 17 +- .../pod-security-policy/fsgroup/template.yaml | 16 +- .../host-filesystem/template.yaml | 16 +- .../host-namespaces/template.yaml | 16 +- .../host-network-ports/template.yaml | 14 +- .../privileged-containers/template.yaml | 14 +- .../proc-mount/template.yaml | 14 +- .../read-only-root-filesystem/template.yaml | 14 +- .../pod-security-policy/selinux/template.yaml | 17 +- .../pod-security-policy/users/template.yaml | 14 +- .../pod-security-policy/volumes/template.yaml | 16 +- .../validation/allow-privilege-escalation.md | 14 +- .../automount-serviceaccount-token.md | 16 +- website/docs/validation/capabilities.md | 19 +- .../docs/validation/ephemeralstoragelimit.md | 15 +- website/docs/validation/flexvolume-drivers.md | 16 +- website/docs/validation/forbidden-sysctls.md | 17 +- website/docs/validation/fsgroup.md | 16 +- website/docs/validation/host-filesystem.md | 16 +- website/docs/validation/host-namespaces.md | 16 +- website/docs/validation/host-network-ports.md | 14 +- .../docs/validation/privileged-containers.md | 14 +- website/docs/validation/proc-mount.md | 14 +- .../validation/read-only-root-filesystem.md | 14 +- website/docs/validation/requiredprobes.md | 16 +- website/docs/validation/selinux.md | 17 +- website/docs/validation/users.md | 14 +- website/docs/validation/volumes.md | 16 +- 169 files changed, 4438 insertions(+), 34 deletions(-) create mode 100644 artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml create mode 100644 artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml create mode 100644 artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml create mode 100644 artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml create mode 100644 artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml create mode 100644 artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/general/requiredprobes/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/constraint.yaml create mode 100644 artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_allowed.yaml create mode 100644 artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed.yaml create mode 100644 artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed2.yaml create mode 100644 artifacthub/library/general/requiredprobes/1.0.1/suite.yaml create mode 100644 artifacthub/library/general/requiredprobes/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml create mode 100644 artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/capabilities/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/disallowed_ephemeral.yaml create mode 100644 artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/README.md create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml create mode 100644 artifacthub/library/pod-security-policy/fsgroup/1.0.1/README.md create mode 100644 artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/fsgroup/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/host-filesystem/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/disallowed_ephemeral.yaml create mode 100644 artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/host-network-ports/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/disallowed_ephemeral.yaml create mode 100644 artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/privileged-containers/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/disallowed_ephemeral.yaml create mode 100644 artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/proc-mount/1.0.2/README.md create mode 100644 artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/proc-mount/1.0.2/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/disallowed_ephemeral.yaml create mode 100644 artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml create mode 100644 artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml create mode 100644 artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/selinux/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/disallowed_ephemeral.yaml create mode 100644 artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/users/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml create mode 100644 artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/users/1.0.1/template.yaml create mode 100644 artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml create mode 100644 artifacthub/library/pod-security-policy/volumes/1.0.1/kustomization.yaml create mode 100644 artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/constraint.yaml create mode 100644 artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_allowed.yaml create mode 100644 artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_disallowed.yaml create mode 100644 artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml create mode 100644 artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..78a5e84dd --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspautomountserviceaccounttokenpod +displayName: Automount Service Account Token for Pod +createdAt: "2023-05-23T09:47:24Z" +description: Controls the ability of any Pod to enable automountServiceAccountToken. +digest: 703ebbf0f93e4ccc2dd0a5a28f8f944285fe3581848d34f40573e9129ade5f50 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/automount-serviceaccount-token +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Automount Service Account Token for Pod + Controls the ability of any Pod to enable automountServiceAccountToken. +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml new file mode 100644 index 000000000..1f70295fd --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml @@ -0,0 +1,10 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPAutomountServiceAccountTokenPod +metadata: + name: psp-automount-serviceaccount-token-pod +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + excludedNamespaces: ["kube-system"] diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml new file mode 100644 index 000000000..7ceba9c34 --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-automountserviceaccounttoken-allowed + labels: + app: nginx-not-automountserviceaccounttoken +spec: + automountServiceAccountToken: false + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml new file mode 100644 index 000000000..6184264ec --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-automountserviceaccounttoken-disallowed + labels: + app: nginx-automountserviceaccounttoken +spec: + automountServiceAccountToken: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml new file mode 100644 index 000000000..2cbc9064f --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml @@ -0,0 +1,17 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: automount-serviceaccount-token +tests: + - name: automount-serviceaccount-token + template: template.yaml + constraint: samples/automount-serviceaccount-token/constraint.yaml + cases: + - name: example-allowed + object: samples/automount-serviceaccount-token/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/automount-serviceaccount-token/example_disallowed.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml new file mode 100644 index 000000000..ee1f2561d --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml @@ -0,0 +1,68 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspautomountserviceaccounttokenpod + annotations: + metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls the ability of any Pod to enable automountServiceAccountToken. +spec: + crd: + spec: + names: + kind: K8sPSPAutomountServiceAccountTokenPod + validation: + openAPIV3Schema: + type: object + description: >- + Controls the ability of any Pod to enable automountServiceAccountToken. + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sautomountserviceaccounttoken + + import data.lib.exclude_update_patch.is_update_or_patch + + violation[{"msg": msg}] { + # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. + not is_update_or_patch(input.review) + + obj := input.review.object + mountServiceAccountToken(obj.spec) + msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name]) + } + + mountServiceAccountToken(spec) { + spec.automountServiceAccountToken == true + } + + # if there is no automountServiceAccountToken spec, check on volumeMount in containers. Service Account token is mounted on /var/run/secrets/kubernetes.io/serviceaccount + # https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller + mountServiceAccountToken(spec) { + not has_key(spec, "automountServiceAccountToken") + "/var/run/secrets/kubernetes.io/serviceaccount" == input_containers[_].volumeMounts[_].mountPath + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + } + + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + + # Ephemeral containers not checked as it is not possible to set field. + + has_key(x, k) { + _ = x[k] + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..d9a0632f4 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,25 @@ +version: 1.0.1 +name: k8scontainerephemeralstoragelimit +displayName: Container ephemeral storage limit +createdAt: "2023-05-23T09:47:27Z" +description: |- + Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +digest: 3831d46393ad418fa151a3c5996c89145f65adf270f324da59c6fb8e72ab7724 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/ephemeralstoragelimit +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Container ephemeral storage limit + Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml new file mode 100644 index 000000000..4575bdf60 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml @@ -0,0 +1,11 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sContainerEphemeralStorageLimit +metadata: + name: container-ephemeral-storage-limit +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + ephemeral-storage: "500Mi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml new file mode 100644 index 000000000..fe1b7bac0 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo +spec: + initContainers: + - name: init-opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "100Mi" + + + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "100Mi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml new file mode 100644 index 000000000..3c1f5ce9e --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo +spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + + ephemeral-storage: "100Mi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml new file mode 100644 index 000000000..05d512d3c --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo +spec: + initContainers: + - name: init-opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "1Pi" + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "100Mi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml new file mode 100644 index 000000000..7dae0395b --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo +spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + + ephemeral-storage: "1Pi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml new file mode 100644 index 000000000..6e81b1118 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo +spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "2Gi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml new file mode 100644 index 000000000..f76b15f06 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml @@ -0,0 +1,29 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: ephemeral-storage-limit +tests: +- name: ephemeral-storage-limit + template: template.yaml + constraint: samples/container-must-have-ephemeral-storage-limit/constraint.yaml + cases: + - name: ephemeral-storage-limit-100Mi + object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml + assertions: + - violations: no + - name: ephemeral-storage-limit-initContainer-100Mi + object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml + assertions: + - violations: no + - name: ephemeral-storage-limit-unspecified + object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml + assertions: + - violations: yes + - name: ephemeral-storage-limit-1Pi + object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml + assertions: + - violations: yes + - name: ephemeral-storage-limit-initContainer-1Pi + object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml new file mode 100644 index 000000000..be528d759 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml @@ -0,0 +1,234 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8scontainerephemeralstoragelimit + annotations: + metadata.gatekeeper.sh/title: "Container ephemeral storage limit" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Requires containers to have an ephemeral storage limit set and constrains + the limit to be within the specified maximum values. + + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +spec: + crd: + spec: + names: + kind: K8sContainerEphemeralStorageLimit + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + ephemeral-storage: + description: "The maximum allowed ephemeral storage limit on a Pod, exclusive." + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8scontainerephemeralstoragelimit + + import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exempt_container.is_exempt + + missing(obj, field) = true { + not obj[field] + } + + missing(obj, field) = true { + obj[field] == "" + } + + has_field(object, field) = true { + object[field] + } + + # 10 ** 21 + storage_multiple("E") = 1000000000000000000000 { true } + + # 10 ** 18 + storage_multiple("P") = 1000000000000000000 { true } + + # 10 ** 15 + storage_multiple("T") = 1000000000000000 { true } + + # 10 ** 12 + storage_multiple("G") = 1000000000000 { true } + + # 10 ** 9 + storage_multiple("M") = 1000000000 { true } + + # 10 ** 6 + storage_multiple("k") = 1000000 { true } + + # 10 ** 3 + storage_multiple("") = 1000 { true } + + # Kubernetes accepts millibyte precision when it probably shouldn't. + # https://github.com/kubernetes/kubernetes/issues/28741 + # 10 ** 0 + storage_multiple("m") = 1 { true } + + # 1000 * 2 ** 10 + storage_multiple("Ki") = 1024000 { true } + + # 1000 * 2 ** 20 + storage_multiple("Mi") = 1048576000 { true } + + # 1000 * 2 ** 30 + storage_multiple("Gi") = 1073741824000 { true } + + # 1000 * 2 ** 40 + storage_multiple("Ti") = 1099511627776000 { true } + + # 1000 * 2 ** 50 + storage_multiple("Pi") = 1125899906842624000 { true } + + # 1000 * 2 ** 60 + storage_multiple("Ei") = 1152921504606846976000 { true } + + get_suffix(storage) = suffix { + not is_string(storage) + suffix := "" + } + + get_suffix(storage) = suffix { + is_string(storage) + count(storage) > 0 + suffix := substring(storage, count(storage) - 1, -1) + storage_multiple(suffix) + } + + get_suffix(storage) = suffix { + is_string(storage) + count(storage) > 1 + suffix := substring(storage, count(storage) - 2, -1) + storage_multiple(suffix) + } + + get_suffix(storage) = suffix { + is_string(storage) + count(storage) > 1 + not storage_multiple(substring(storage, count(storage) - 1, -1)) + not storage_multiple(substring(storage, count(storage) - 2, -1)) + suffix := "" + } + + get_suffix(storage) = suffix { + is_string(storage) + count(storage) == 1 + not storage_multiple(substring(storage, count(storage) - 1, -1)) + suffix := "" + } + + get_suffix(storage) = suffix { + is_string(storage) + count(storage) == 0 + suffix := "" + } + + canonify_storage(orig) = new { + is_number(orig) + new := orig * 1000 + } + + canonify_storage(orig) = new { + not is_number(orig) + suffix := get_suffix(orig) + raw := replace(orig, suffix, "") + re_match("^[0-9]+(\\.[0-9]+)?$", raw) + new := to_number(raw) * storage_multiple(suffix) + } + + violation[{"msg": msg}] { + # spec.containers.resources.limits["ephemeral-storage"] field is immutable. + not is_update_or_patch(input.review) + + general_violation[{"msg": msg, "field": "containers"}] + } + + violation[{"msg": msg}] { + not is_update_or_patch(input.review) + general_violation[{"msg": msg, "field": "initContainers"}] + } + + # Ephemeral containers not checked as it is not possible to set field. + + general_violation[{"msg": msg, "field": field}] { + container := input.review.object.spec[field][_] + not is_exempt(container) + storage_orig := container.resources.limits["ephemeral-storage"] + not canonify_storage(storage_orig) + msg := sprintf("container <%v> ephemeral-storage limit <%v> could not be parsed", [container.name, storage_orig]) + } + + general_violation[{"msg": msg, "field": field}] { + container := input.review.object.spec[field][_] + not is_exempt(container) + not container.resources + msg := sprintf("container <%v> has no resource limits", [container.name]) + } + + general_violation[{"msg": msg, "field": field}] { + container := input.review.object.spec[field][_] + not is_exempt(container) + not container.resources.limits + msg := sprintf("container <%v> has no resource limits", [container.name]) + } + + general_violation[{"msg": msg, "field": field}] { + container := input.review.object.spec[field][_] + not is_exempt(container) + missing(container.resources.limits, "ephemeral-storage") + msg := sprintf("container <%v> has no ephemeral-storage limit", [container.name]) + } + + general_violation[{"msg": msg, "field": field}] { + container := input.review.object.spec[field][_] + not is_exempt(container) + storage_orig := container.resources.limits["ephemeral-storage"] + storage := canonify_storage(storage_orig) + max_storage_orig := input.parameters["ephemeral-storage"] + max_storage := canonify_storage(max_storage_orig) + storage > max_storage + msg := sprintf("container <%v> ephemeral-storage limit <%v> is higher than the maximum allowed of <%v>", [container.name, storage_orig, max_storage_orig]) + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..8c60c2f9b --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8srequiredprobes +displayName: Required Probes +createdAt: "2023-05-23T09:47:30Z" +description: Requires Pods to have readiness and/or liveness probes. +digest: 9c283ad1edd3a6145463578700d4f885160d616acea08880195fad2493b5566d +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/requiredprobes +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Required Probes + Requires Pods to have readiness and/or liveness probes. +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/requiredprobes/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/general/requiredprobes/1.0.1/kustomization.yaml b/artifacthub/library/general/requiredprobes/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/constraint.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/constraint.yaml new file mode 100644 index 000000000..84fde016a --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/constraint.yaml @@ -0,0 +1,12 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredProbes +metadata: + name: must-have-probes +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + probes: ["readinessProbe", "livenessProbe"] + probeTypes: ["tcpSocket", "httpGet", "exec"] diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_allowed.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_allowed.yaml new file mode 100644 index 000000000..4248b67dd --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_allowed.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod1 +spec: + containers: + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 5 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed.yaml new file mode 100644 index 000000000..6db251904 --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod1 +spec: + containers: + - name: nginx-1 + image: nginx:1.7.9 + ports: + - containerPort: 80 + livenessProbe: + # tcpSocket: + # port: 80 + # initialDelaySeconds: 5 + # periodSeconds: 10 + volumeMounts: + - mountPath: /tmp/cache + name: cache-volume + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed2.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed2.yaml new file mode 100644 index 000000000..6e0536487 --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed2.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod2 +spec: + containers: + - name: nginx-1 + image: nginx:1.7.9 + ports: + - containerPort: 80 + readinessProbe: + # httpGet: + # path: / + # port: 80 + # initialDelaySeconds: 5 + # periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 5 + periodSeconds: 10 + volumeMounts: + - mountPath: /tmp/cache + name: cache-volume + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + # livenessProbe: + # tcpSocket: + # port: 8080 + # initialDelaySeconds: 5 + # periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} diff --git a/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml b/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml new file mode 100644 index 000000000..8e8629a92 --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: requiredprobes +tests: +- name: required-probes + template: template.yaml + constraint: samples/must-have-probes/constraint.yaml + cases: + - name: example-allowed + object: samples/must-have-probes/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/must-have-probes/example_disallowed.yaml + assertions: + - violations: yes + - name: example-disallowed2 + object: samples/must-have-probes/example_disallowed2.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/general/requiredprobes/1.0.1/template.yaml b/artifacthub/library/general/requiredprobes/1.0.1/template.yaml new file mode 100644 index 000000000..fc84f63dc --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/template.yaml @@ -0,0 +1,74 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8srequiredprobes + annotations: + metadata.gatekeeper.sh/title: "Required Probes" + metadata.gatekeeper.sh/version: 1.0.1 + description: Requires Pods to have readiness and/or liveness probes. +spec: + crd: + spec: + names: + kind: K8sRequiredProbes + validation: + openAPIV3Schema: + type: object + properties: + probes: + description: "A list of probes that are required (ex: `readinessProbe`)" + type: array + items: + type: string + probeTypes: + description: "The probe must define a field listed in `probeType` in order to satisfy the constraint (ex. `tcpSocket` satisfies `['tcpSocket', 'exec']`)" + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8srequiredprobes + + import data.lib.exclude_update_patch.is_update_or_patch + + probe_type_set = probe_types { + probe_types := {type | type := input.parameters.probeTypes[_]} + } + + violation[{"msg": msg}] { + # Probe fields are immutable. + not is_update_or_patch(input.review) + + container := input.review.object.spec.containers[_] + probe := input.parameters.probes[_] + probe_is_missing(container, probe) + msg := get_violation_message(container, input.review, probe) + } + + probe_is_missing(ctr, probe) = true { + not ctr[probe] + } + + probe_is_missing(ctr, probe) = true { + probe_field_empty(ctr, probe) + } + + probe_field_empty(ctr, probe) = true { + probe_fields := {field | ctr[probe][field]} + diff_fields := probe_type_set - probe_fields + count(diff_fields) == count(probe_type_set) + } + + get_violation_message(container, review, probe) = msg { + msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe]) + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..aef049ed3 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspallowprivilegeescalationcontainer +displayName: Allow Privilege Escalation in Container +createdAt: "2023-05-23T09:47:31Z" +description: Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation +digest: bd6fd60b9b4fd64a803cc3e8463bf1c86695c1d96a467f21c219c10159625023 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allow-privilege-escalation +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Allow Privilege Escalation in Container + Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/constraint.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/constraint.yaml new file mode 100644 index 000000000..fdc05a1c0 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/constraint.yaml @@ -0,0 +1,9 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPAllowPrivilegeEscalationContainer +metadata: + name: psp-allow-privilege-escalation-container +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml new file mode 100644 index 000000000..5992f96b3 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: true diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_allowed.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_allowed.yaml new file mode 100644 index 000000000..26c8dd879 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privilege-escalation-allowed + labels: + app: nginx-privilege-escalation +spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: false diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml new file mode 100644 index 000000000..d3648d2f2 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation +spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: true diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml new file mode 100644 index 000000000..0c65f18f7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: allow-privilege-escalation +tests: + - name: allow-privilege-escalation + template: template.yaml + constraint: samples/psp-allow-privilege-escalation-container/constraint.yaml + cases: + - name: example-allowed + object: samples/psp-allow-privilege-escalation-container/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/psp-allow-privilege-escalation-container/example_disallowed.yaml + assertions: + - violations: yes + - name: disallowed-ephemeral + object: samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml new file mode 100644 index 000000000..5fb7c57d5 --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml @@ -0,0 +1,102 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspallowprivilegeescalationcontainer + annotations: + metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls restricting escalation to root privileges. Corresponds to the + `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation +spec: + crd: + spec: + names: + kind: K8sPSPAllowPrivilegeEscalationContainer + validation: + openAPIV3Schema: + type: object + description: >- + Controls restricting escalation to root privileges. Corresponds to the + `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspallowprivilegeescalationcontainer + + import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. + not is_update_or_patch(input.review) + + c := input_containers[_] + not is_exempt(c) + input_allow_privilege_escalation(c) + msg := sprintf("Privilege escalation container is not allowed: %v", [c.name]) + } + + input_allow_privilege_escalation(c) { + not has_field(c, "securityContext") + } + input_allow_privilege_escalation(c) { + not c.securityContext.allowPrivilegeEscalation == false + } + input_containers[c] { + c := input.review.object.spec.containers[_] + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..aaa8938f9 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspcapabilities +displayName: Capabilities +createdAt: "2023-05-23T09:47:31Z" +description: Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities +digest: adb9d8a97dcc2df2f780f35fc01728b845d856f3a4cdf51e682acd966bb70338 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/capabilities +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Capabilities + Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/constraint.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/constraint.yaml new file mode 100644 index 000000000..3f856082f --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/constraint.yaml @@ -0,0 +1,14 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPCapabilities +metadata: + name: capabilities-demo +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + namespaces: + - "default" + parameters: + allowedCapabilities: ["something"] + requiredDropCapabilities: ["must_drop"] diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/disallowed_ephemeral.yaml new file mode 100644 index 000000000..5467c826e --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/disallowed_ephemeral.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo +spec: + ephemeralContainers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["disallowedcapability"] + resources: + limits: + cpu: "100m" + memory: "30Mi" diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_allowed.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_allowed.yaml new file mode 100644 index 000000000..41bf6a0ed --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_allowed.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo +spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["something"] + drop: ["must_drop", "another_one"] + resources: + limits: + cpu: "100m" + memory: "30Mi" diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_disallowed.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_disallowed.yaml new file mode 100644 index 000000000..fdd886189 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_disallowed.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo +spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["disallowedcapability"] + resources: + limits: + cpu: "100m" + memory: "30Mi" \ No newline at end of file diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml new file mode 100644 index 000000000..8f7386e1c --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: capabilities +tests: + - name: capabilities + template: template.yaml + constraint: samples/capabilities-demo/constraint.yaml + cases: + - name: example-disallowed + object: samples/capabilities-demo/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/capabilities-demo/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/capabilities-demo/disallowed_ephemeral.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml new file mode 100644 index 000000000..55b2f8491 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml @@ -0,0 +1,165 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspcapabilities + annotations: + metadata.gatekeeper.sh/title: "Capabilities" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls Linux capabilities on containers. Corresponds to the + `allowedCapabilities` and `requiredDropCapabilities` fields in a + PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities +spec: + crd: + spec: + names: + kind: K8sPSPCapabilities + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls Linux capabilities on containers. Corresponds to the + `allowedCapabilities` and `requiredDropCapabilities` fields in a + PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + allowedCapabilities: + type: array + description: "A list of Linux capabilities that can be added to a container." + items: + type: string + requiredDropCapabilities: + type: array + description: "A list of Linux capabilities that are required to be dropped from a container." + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package capabilities + + import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg}] { + # spec.containers.securityContext.capabilities field is immutable. + not is_update_or_patch(input.review) + + container := input.review.object.spec.containers[_] + not is_exempt(container) + has_disallowed_capabilities(container) + msg := sprintf("container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")]) + } + + violation[{"msg": msg}] { + not is_update_or_patch(input.review) + container := input.review.object.spec.containers[_] + not is_exempt(container) + missing_drop_capabilities(container) + msg := sprintf("container <%v> is not dropping all required capabilities. Container must drop all of %v or \"ALL\"", [container.name, input.parameters.requiredDropCapabilities]) + } + + + + violation[{"msg": msg}] { + not is_update_or_patch(input.review) + container := input.review.object.spec.initContainers[_] + not is_exempt(container) + has_disallowed_capabilities(container) + msg := sprintf("init container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")]) + } + + violation[{"msg": msg}] { + not is_update_or_patch(input.review) + container := input.review.object.spec.initContainers[_] + not is_exempt(container) + missing_drop_capabilities(container) + msg := sprintf("init container <%v> is not dropping all required capabilities. Container must drop all of %v or \"ALL\"", [container.name, input.parameters.requiredDropCapabilities]) + } + + + + violation[{"msg": msg}] { + not is_update_or_patch(input.review) + container := input.review.object.spec.ephemeralContainers[_] + not is_exempt(container) + has_disallowed_capabilities(container) + msg := sprintf("ephemeral container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")]) + } + + violation[{"msg": msg}] { + not is_update_or_patch(input.review) + container := input.review.object.spec.ephemeralContainers[_] + not is_exempt(container) + missing_drop_capabilities(container) + msg := sprintf("ephemeral container <%v> is not dropping all required capabilities. Container must drop all of %v or \"ALL\"", [container.name, input.parameters.requiredDropCapabilities]) + } + + + has_disallowed_capabilities(container) { + allowed := {c | c := lower(input.parameters.allowedCapabilities[_])} + not allowed["*"] + capabilities := {c | c := lower(container.securityContext.capabilities.add[_])} + + count(capabilities - allowed) > 0 + } + + missing_drop_capabilities(container) { + must_drop := {c | c := lower(input.parameters.requiredDropCapabilities[_])} + all := {"all"} + dropped := {c | c := lower(container.securityContext.capabilities.drop[_])} + + count(must_drop - dropped) > 0 + count(all - dropped) > 0 + } + + get_default(obj, param, _default) = out { + out = obj[param] + } + + get_default(obj, param, _default) = out { + not obj[param] + not obj[param] == false + out = _default + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..5b1190f83 --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspflexvolumes +displayName: FlexVolumes +createdAt: "2023-05-23T09:47:31Z" +description: Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers +digest: 18da92d57e3d86c0460dfd57b276cdb3166620f7d603c4dcad44d46e3f5d7f87 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/flexvolume-drivers +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # FlexVolumes + Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/constraint.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/constraint.yaml new file mode 100644 index 000000000..8fc65f2de --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/constraint.yaml @@ -0,0 +1,13 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPFlexVolumes +metadata: + name: psp-flexvolume-drivers +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + allowedFlexVolumes: #[] + - driver: "example/lvm" + - driver: "example/cifs" diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_allowed.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_allowed.yaml new file mode 100644 index 000000000..22b2e949c --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_allowed.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-flexvolume-driver-allowed + labels: + app: nginx-flexvolume-driver +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /test + name: test-volume + readOnly: true + volumes: + - name: test-volume + flexVolume: + driver: "example/lvm" diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_disallowed.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_disallowed.yaml new file mode 100644 index 000000000..9a8f27d67 --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_disallowed.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-flexvolume-driver-disallowed + labels: + app: nginx-flexvolume-driver +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /test + name: test-volume + readOnly: true + volumes: + - name: test-volume + flexVolume: + driver: "example/testdriver" #"example/lvm" diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml new file mode 100644 index 000000000..1f4a4ef75 --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml @@ -0,0 +1,17 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: flexvolume-drivers +tests: + - name: flexvolume-drivers + template: template.yaml + constraint: samples/psp-flexvolume-drivers/constraint.yaml + cases: + - name: example-allowed + object: samples/psp-flexvolume-drivers/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/psp-flexvolume-drivers/example_disallowed.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml new file mode 100644 index 000000000..cdf77aad0 --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml @@ -0,0 +1,74 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspflexvolumes + annotations: + metadata.gatekeeper.sh/title: "FlexVolumes" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls the allowlist of FlexVolume drivers. Corresponds to the + `allowedFlexVolumes` field in PodSecurityPolicy. For more information, + see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers +spec: + crd: + spec: + names: + kind: K8sPSPFlexVolumes + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls the allowlist of FlexVolume drivers. Corresponds to the + `allowedFlexVolumes` field in PodSecurityPolicy. For more information, + see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers + properties: + allowedFlexVolumes: + type: array + description: "An array of AllowedFlexVolume objects." + items: + type: object + properties: + driver: + description: "The name of the FlexVolume driver." + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspflexvolumes + + import data.lib.exclude_update_patch.is_update_or_patch + + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + + volume := input_flexvolumes[_] + not input_flexvolumes_allowed(volume) + msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes]) + } + + input_flexvolumes_allowed(volume) { + input.parameters.allowedFlexVolumes[_].driver == volume.flexVolume.driver + } + + input_flexvolumes[v] { + v := input.review.object.spec.volumes[_] + has_field(v, "flexVolume") + } + + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/README.md b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/README.md new file mode 100644 index 000000000..d8a40937d --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/README.md @@ -0,0 +1,36 @@ +# Forbidden Sysctls security context policy + +The forbidden sysctls constraint allows one to limit the set of kernel parameters that can be modified by pods. This is accomplished by specifying a combination of allowed and forbidden sysctls using either of two parameters: `allowedSysctls` and `forbiddenSysctls`. + +## Parameters + +`allowedSysctls`: A list of explicitly allowed sysctls. Any sysctl not in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter. + +`forbiddenSysctls`: A list of explicitly denied sysctls. Any sysctl in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter. + +## Examples + +```yaml +parameters: + allowedSysctls: ['*'] + forbiddenSysctls: + - kernel.msg* + - net.core.somaxconn +``` + +```yaml +parameters: + allowedSysctls: + - kernel.shm_rmid_forced + - net.ipv4.ip_local_port_range + - net.ipv4.tcp_syncookies + - net.ipv4.ping_group_range + forbiddenSysctls: [] +``` + +*Note*: `forbiddenSysctls` takes precedence, such that an explicitly forbidden sysctl is still forbidden even if it appears in `allowedSysctls` as well. However in practice, such overlap between the rules should be avoided. + +## References + +* [Using sysctls in a Kubernetes Cluster](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) +* [Kubernetes API Reference - Sysctl](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#sysctl-v1-core) \ No newline at end of file diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml new file mode 100644 index 000000000..7b2de2fcd --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.1.2 +name: k8spspforbiddensysctls +displayName: Forbidden Sysctls +createdAt: "2023-05-23T09:47:31Z" +description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +digest: 436c6ee0f5228a9a316606a0ed95364b3753a376a68b1321da392477595d9a3a +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Forbidden Sysctls + Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/kustomization.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/constraint.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/constraint.yaml new file mode 100644 index 000000000..39abf4b23 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPForbiddenSysctls +metadata: + name: psp-forbidden-sysctls +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + forbiddenSysctls: + # - "*" # * may be used to forbid all sysctls + - kernel.* + allowedSysctls: + - "*" # allows all sysctls. allowedSysctls is optional. diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_allowed.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_allowed.yaml new file mode 100644 index 000000000..4b6cc4b66 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_allowed.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls +spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: net.core.somaxconn + value: "1024" diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_disallowed.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_disallowed.yaml new file mode 100644 index 000000000..34ab8f344 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_disallowed.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls +spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: kernel.msgmax + value: "65536" + - name: net.core.somaxconn + value: "1024" diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml new file mode 100644 index 000000000..bcc4caaae --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml @@ -0,0 +1,17 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: forbidden-sysctls +tests: + - name: forbidden-sysctls + template: template.yaml + constraint: samples/psp-forbidden-sysctls/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-forbidden-sysctls/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-forbidden-sysctls/example_allowed.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml new file mode 100644 index 000000000..8f6dd1e07 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml @@ -0,0 +1,102 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspforbiddensysctls + annotations: + metadata.gatekeeper.sh/title: "Forbidden Sysctls" + metadata.gatekeeper.sh/version: 1.1.2 + description: >- + Controls the `sysctl` profile used by containers. Corresponds to the + `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. + When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. + The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. + For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +spec: + crd: + spec: + names: + kind: K8sPSPForbiddenSysctls + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls the `sysctl` profile used by containers. Corresponds to the + `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. + When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. + The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. + For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ + properties: + allowedSysctls: + type: array + description: "An allow-list of sysctls. `*` allows all sysctls not listed in the `forbiddenSysctls` parameter." + items: + type: string + forbiddenSysctls: + type: array + description: "A disallow-list of sysctls. `*` forbids all sysctls." + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspforbiddensysctls + + import data.lib.exclude_update_patch.is_update_or_patch + + # Block if forbidden + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.sysctls field is immutable. + not is_update_or_patch(input.review) + + sysctl := input.review.object.spec.securityContext.sysctls[_].name + forbidden_sysctl(sysctl) + msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) + } + + # Block if not explicitly allowed + violation[{"msg": msg, "details": {}}] { + not is_update_or_patch(input.review) + sysctl := input.review.object.spec.securityContext.sysctls[_].name + not allowed_sysctl(sysctl) + msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) + } + + # * may be used to forbid all sysctls + forbidden_sysctl(sysctl) { + input.parameters.forbiddenSysctls[_] == "*" + } + + forbidden_sysctl(sysctl) { + input.parameters.forbiddenSysctls[_] == sysctl + } + + forbidden_sysctl(sysctl) { + forbidden := input.parameters.forbiddenSysctls[_] + endswith(forbidden, "*") + startswith(sysctl, trim_suffix(forbidden, "*")) + } + + # * may be used to allow all sysctls + allowed_sysctl(sysctl) { + input.parameters.allowedSysctls[_] == "*" + } + + allowed_sysctl(sysctl) { + input.parameters.allowedSysctls[_] == sysctl + } + + allowed_sysctl(sysctl) { + allowed := input.parameters.allowedSysctls[_] + endswith(allowed, "*") + startswith(sysctl, trim_suffix(allowed, "*")) + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/README.md b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/README.md new file mode 100644 index 000000000..b70d94d45 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/README.md @@ -0,0 +1,7 @@ +# Deprecated + +**This Policy is deprecated** + +Please use the FSGroup settings on the users policy to enforce FSGroup Settings. + +[Users Policy](../users) diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..1c7437205 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspfsgroup +displayName: FS Group +createdAt: "2023-05-23T09:47:31Z" +description: Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +digest: a7132351db53b2094501f949746fc677a2b37d47ae744930af5eaf2d44443512 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/fsgroup +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # FS Group + Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/constraint.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/constraint.yaml new file mode 100644 index 000000000..4eb14fe3c --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/constraint.yaml @@ -0,0 +1,14 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPFSGroup +metadata: + name: psp-fsgroup +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny" + ranges: + - min: 1 + max: 1000 diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_allowed.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_allowed.yaml new file mode 100644 index 000000000..17d3274c3 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_allowed.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: fsgroup-disallowed +spec: + securityContext: + fsGroup: 500 # directory will have group ID 500 + volumes: + - name: fsgroup-demo-vol + emptyDir: {} + containers: + - name: fsgroup-demo + image: busybox + command: ["sh", "-c", "sleep 1h"] + volumeMounts: + - name: fsgroup-demo-vol + mountPath: /data/demo diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_disallowed.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_disallowed.yaml new file mode 100644 index 000000000..9caf7c0a3 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_disallowed.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: fsgroup-disallowed +spec: + securityContext: + fsGroup: 2000 # directory will have group ID 2000 + volumes: + - name: fsgroup-demo-vol + emptyDir: {} + containers: + - name: fsgroup-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: fsgroup-demo-vol + mountPath: /data/demo diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml new file mode 100644 index 000000000..f24cb6a35 --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml @@ -0,0 +1,17 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: fsgroup +tests: + - name: fsgroup + template: template.yaml + constraint: samples/psp-fsgroup/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-fsgroup/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-fsgroup/example_allowed.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml new file mode 100644 index 000000000..006d8eb6e --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml @@ -0,0 +1,107 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspfsgroup + annotations: + metadata.gatekeeper.sh/title: "FS Group" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls allocating an FSGroup that owns the Pod's volumes. Corresponds + to the `fsGroup` field in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +spec: + crd: + spec: + names: + kind: K8sPSPFSGroup + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls allocating an FSGroup that owns the Pod's volumes. Corresponds + to the `fsGroup` field in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + properties: + rule: + description: "An FSGroup rule name." + enum: + - MayRunAs + - MustRunAs + - RunAsAny + type: string + ranges: + type: array + description: "GID ranges affected by the rule." + items: + type: object + properties: + min: + description: "The minimum GID in the range, inclusive." + type: integer + max: + description: "The maximum GID in the range, inclusive." + type: integer + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspfsgroup + + import data.lib.exclude_update_patch.is_update_or_patch + + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.fsGroup field is immutable. + not is_update_or_patch(input.review) + + spec := input.review.object.spec + not input_fsGroup_allowed(spec) + msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) + } + + input_fsGroup_allowed(spec) { + # RunAsAny - No range is required. Allows any fsGroup ID to be specified. + input.parameters.rule == "RunAsAny" + } + input_fsGroup_allowed(spec) { + # MustRunAs - Validates pod spec fsgroup against all ranges + input.parameters.rule == "MustRunAs" + fg := spec.securityContext.fsGroup + count(input.parameters.ranges) > 0 + range := input.parameters.ranges[_] + value_within_range(range, fg) + } + input_fsGroup_allowed(spec) { + # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset + input.parameters.rule == "MayRunAs" + not has_field(spec, "securityContext") + } + input_fsGroup_allowed(spec) { + # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset + input.parameters.rule == "MayRunAs" + not spec.securityContext.fsGroup + } + input_fsGroup_allowed(spec) { + # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset + input.parameters.rule == "MayRunAs" + fg := spec.securityContext.fsGroup + count(input.parameters.ranges) > 0 + range := input.parameters.ranges[_] + value_within_range(range, fg) + } + value_within_range(range, value) { + range.min <= value + range.max >= value + } + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..38caa319c --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spsphostfilesystem +displayName: Host Filesystem +createdAt: "2023-05-23T09:47:31Z" +description: Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +digest: 4be50b48cb82f049e9045c4c847baf8764c64f8b9d121e2b4d9036e7cab1fcfb +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-filesystem +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Host Filesystem + Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/constraint.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/constraint.yaml new file mode 100644 index 000000000..7cbd7b824 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/constraint.yaml @@ -0,0 +1,13 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostFilesystem +metadata: + name: psp-host-filesystem +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + allowedHostPaths: + - readOnly: true + pathPrefix: "/foo" diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/disallowed_ephemeral.yaml new file mode 100644 index 000000000..beece55c0 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/disallowed_ephemeral.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed +spec: + ephemeralContainers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_allowed.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_allowed.yaml new file mode 100644 index 000000000..abc60d882 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_allowed.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /foo/bar diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_disallowed.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_disallowed.yaml new file mode 100644 index 000000000..53107694f --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_disallowed.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml new file mode 100644 index 000000000..ec28e4ffc --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: host-filesystem +tests: + - name: host-filesystem + template: template.yaml + constraint: samples/psp-host-filesystem/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-host-filesystem/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-host-filesystem/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-host-filesystem/disallowed_ephemeral.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml new file mode 100644 index 000000000..b8d935369 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml @@ -0,0 +1,150 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spsphostfilesystem + annotations: + metadata.gatekeeper.sh/title: "Host Filesystem" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls usage of the host filesystem. Corresponds to the + `allowedHostPaths` field in a PodSecurityPolicy. For more information, + see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +spec: + crd: + spec: + names: + kind: K8sPSPHostFilesystem + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls usage of the host filesystem. Corresponds to the + `allowedHostPaths` field in a PodSecurityPolicy. For more information, + see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + properties: + allowedHostPaths: + type: array + description: "An array of hostpath objects, representing paths and read/write configuration." + items: + type: object + properties: + pathPrefix: + type: string + description: "The path prefix that the host volume must match." + readOnly: + type: boolean + description: "when set to true, any container volumeMounts matching the pathPrefix must include `readOnly: true`." + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spsphostfilesystem + + import data.lib.exclude_update_patch.is_update_or_patch + + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + + volume := input_hostpath_volumes[_] + allowedPaths := get_allowed_paths(input) + input_hostpath_violation(allowedPaths, volume) + msg := sprintf("HostPath volume %v is not allowed, pod: %v. Allowed path: %v", [volume, input.review.object.metadata.name, allowedPaths]) + } + + input_hostpath_violation(allowedPaths, volume) { + # An empty list means all host paths are blocked + allowedPaths == [] + } + input_hostpath_violation(allowedPaths, volume) { + not input_hostpath_allowed(allowedPaths, volume) + } + + get_allowed_paths(arg) = out { + not arg.parameters + out = [] + } + get_allowed_paths(arg) = out { + not arg.parameters.allowedHostPaths + out = [] + } + get_allowed_paths(arg) = out { + out = arg.parameters.allowedHostPaths + } + + input_hostpath_allowed(allowedPaths, volume) { + allowedHostPath := allowedPaths[_] + path_matches(allowedHostPath.pathPrefix, volume.hostPath.path) + not allowedHostPath.readOnly == true + } + + input_hostpath_allowed(allowedPaths, volume) { + allowedHostPath := allowedPaths[_] + path_matches(allowedHostPath.pathPrefix, volume.hostPath.path) + allowedHostPath.readOnly + not writeable_input_volume_mounts(volume.name) + } + + writeable_input_volume_mounts(volume_name) { + container := input_containers[_] + mount := container.volumeMounts[_] + mount.name == volume_name + not mount.readOnly + } + + # This allows "/foo", "/foo/", "/foo/bar" etc., but + # disallows "/fool", "/etc/foo" etc. + path_matches(prefix, path) { + a := path_array(prefix) + b := path_array(path) + prefix_matches(a, b) + } + path_array(p) = out { + p != "/" + out := split(trim(p, "/"), "/") + } + # This handles the special case for "/", since + # split(trim("/", "/"), "/") == [""] + path_array("/") = [] + + prefix_matches(a, b) { + count(a) <= count(b) + not any_not_equal_upto(a, b, count(a)) + } + + any_not_equal_upto(a, b, n) { + a[i] != b[i] + i < n + } + + input_hostpath_volumes[v] { + v := input.review.object.spec.volumes[_] + has_field(v, "hostPath") + } + + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + input_containers[c] { + c := input.review.object.spec.containers[_] + } + + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..7d20c6644 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spsphostnamespace +displayName: Host Namespace +createdAt: "2023-05-23T09:47:31Z" +description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +digest: 86a2dc453529427865f928c1ef99c2faa8685799e3a34c166451cb5b60885013 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-namespaces +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Host Namespace + Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/constraint.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/constraint.yaml new file mode 100644 index 000000000..5b3ebba3a --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/constraint.yaml @@ -0,0 +1,9 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostNamespace +metadata: + name: psp-host-namespace +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_allowed.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_allowed.yaml new file mode 100644 index 000000000..f765f5b4d --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-namespace-allowed + labels: + app: nginx-host-namespace +spec: + hostPID: false + hostIPC: false + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_disallowed.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_disallowed.yaml new file mode 100644 index 000000000..b979e8134 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-namespace-disallowed + labels: + app: nginx-host-namespace +spec: + hostPID: true + hostIPC: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml new file mode 100644 index 000000000..d274351ff --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml @@ -0,0 +1,17 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: host-namespaces +tests: + - name: host-namespace + template: template.yaml + constraint: samples/psp-host-namespace/constraint.yaml + cases: + - name: example-allowed + object: samples/psp-host-namespace/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/psp-host-namespace/example_disallowed.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml new file mode 100644 index 000000000..784112b39 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml @@ -0,0 +1,56 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spsphostnamespace + annotations: + metadata.gatekeeper.sh/title: "Host Namespace" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Disallows sharing of host PID and IPC namespaces by pod containers. + Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. + For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +spec: + crd: + spec: + names: + kind: K8sPSPHostNamespace + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Disallows sharing of host PID and IPC namespaces by pod containers. + Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. + For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spsphostnamespace + + import data.lib.exclude_update_patch.is_update_or_patch + + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update_or_patch(input.review) + + input_share_hostnamespace(input.review.object) + msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) + } + + input_share_hostnamespace(o) { + o.spec.hostPID + } + input_share_hostnamespace(o) { + o.spec.hostIPC + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..8a6adc71f --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spsphostnetworkingports +displayName: Host Networking Ports +createdAt: "2023-05-23T09:47:31Z" +description: Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +digest: 8f4e9f3b512b03b5ec14eb0ad30182163fb96f862669663531ebf0264eeb1e61 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-network-ports +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Host Networking Ports + Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/constraint.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/constraint.yaml new file mode 100644 index 000000000..fcbc5d805 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/constraint.yaml @@ -0,0 +1,13 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostNetworkingPorts +metadata: + name: psp-host-network-ports +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + hostNetwork: true + min: 80 + max: 9000 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/disallowed_ephemeral.yaml new file mode 100644 index 000000000..7a4fa3114 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/disallowed_ephemeral.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + ephemeralContainers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_allowed.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_allowed.yaml new file mode 100644 index 000000000..08b321fe5 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_allowed.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-allowed + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: false + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9000 + hostPort: 80 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_disallowed.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_disallowed.yaml new file mode 100644 index 000000000..9a496cd60 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_disallowed.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports +spec: + hostNetwork: true + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml new file mode 100644 index 000000000..86593fc9d --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: host-network-ports +tests: +- name: use-of-host-networking-ports-blocked + template: template.yaml + constraint: samples/psp-host-network-ports/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-host-network-ports/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-host-network-ports/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-host-network-ports/disallowed_ephemeral.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml new file mode 100644 index 000000000..e5d830061 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml @@ -0,0 +1,120 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spsphostnetworkingports + annotations: + metadata.gatekeeper.sh/title: "Host Networking Ports" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls usage of host network namespace by pod containers. Specific + ports must be specified. Corresponds to the `hostNetwork` and + `hostPorts` fields in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces +spec: + crd: + spec: + names: + kind: K8sPSPHostNetworkingPorts + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls usage of host network namespace by pod containers. Specific + ports must be specified. Corresponds to the `hostNetwork` and + `hostPorts` fields in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + hostNetwork: + description: "Determines if the policy allows the use of HostNetwork in the pod spec." + type: boolean + min: + description: "The start of the allowed port range, inclusive." + type: integer + max: + description: "The end of the allowed port range, inclusive." + type: integer + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spsphostnetworkingports + + import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.hostNetwork field is immutable. + not is_update_or_patch(input.review) + + input_share_hostnetwork(input.review.object) + msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) + } + + input_share_hostnetwork(o) { + not input.parameters.hostNetwork + o.spec.hostNetwork + } + + input_share_hostnetwork(o) { + hostPort := input_containers[_].ports[_].hostPort + hostPort < input.parameters.min + } + + input_share_hostnetwork(o) { + hostPort := input_containers[_].ports[_].hostPort + hostPort > input.parameters.max + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + not is_exempt(c) + } + + input_containers[c] { + c := input.review.object.spec.initContainers[_] + not is_exempt(c) + } + + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + not is_exempt(c) + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..4eccc50ad --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspprivilegedcontainer +displayName: Privileged Container +createdAt: "2023-05-23T09:47:31Z" +description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged +digest: f3b2afe9b0f7bccd82c29291a9e075ecd1019ca5857fb5e850d7176ac8aa4a36 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/privileged-containers +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Privileged Container + Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/constraint.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/constraint.yaml new file mode 100644 index 000000000..b246b244a --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/constraint.yaml @@ -0,0 +1,10 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPPrivilegedContainer +metadata: + name: psp-privileged-container +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + excludedNamespaces: ["kube-system"] diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/disallowed_ephemeral.yaml new file mode 100644 index 000000000..e8c8b9945 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/disallowed_ephemeral.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_allowed.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_allowed.yaml new file mode 100644 index 000000000..bb65a2c0e --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-allowed + labels: + app: nginx-privileged +spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: false diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_disallowed.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_disallowed.yaml new file mode 100644 index 000000000..936a24f8e --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged +spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml new file mode 100644 index 000000000..593f96015 --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: privileged-containers +tests: +- name: privileged-containers-disallowed + template: template.yaml + constraint: samples/psp-privileged-container/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-privileged-container/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-privileged-container/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-privileged-container/disallowed_ephemeral.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml new file mode 100644 index 000000000..f143a492b --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml @@ -0,0 +1,94 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspprivilegedcontainer + annotations: + metadata.gatekeeper.sh/title: "Privileged Container" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls the ability of any container to enable privileged mode. + Corresponds to the `privileged` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged +spec: + crd: + spec: + names: + kind: K8sPSPPrivilegedContainer + validation: + openAPIV3Schema: + type: object + description: >- + Controls the ability of any container to enable privileged mode. + Corresponds to the `privileged` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspprivileged + + import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.containers.privileged field is immutable. + not is_update_or_patch(input.review) + + c := input_containers[_] + not is_exempt(c) + c.securityContext.privileged + msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext]) + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + } + + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/README.md b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/README.md new file mode 100644 index 000000000..9e45b7207 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/README.md @@ -0,0 +1,12 @@ +# ProcMount security context policy + +`procMount` denotes the type of proc mount to use for the containers. The default is `DefaultProcMount` which uses the container runtime defaults for readonly paths and masked paths. + +Types of proc mount are: + +- `DefaultProcMount` uses the container runtime default ProcType. Most container runtimes mask certain paths in /proc to avoid accidental security exposure of special devices or information. + +- `UnmaskedProcMount` bypasses the default masking behavior of the container runtime and ensures the newly created /proc the container stays in tact with no modifications. + +This requires the `ProcMountType` feature flag to be enabled. Set `--feature-gates=ProcMountType=true` in Kubernetes API Server to be able to use `Unmasked` procMount type (requires v1.12 and above). For more information, see +https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options and https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/. diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml new file mode 100644 index 000000000..573187ce2 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.2 +name: k8spspprocmount +displayName: Proc Mount +createdAt: "2023-05-23T09:47:31Z" +description: Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes +digest: 4b54aedfc0a708de76efdd810bd7d63e92625fd79358d196977b7ea51359e46c +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/proc-mount +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Proc Mount + Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/kustomization.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/constraint.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/constraint.yaml new file mode 100644 index 000000000..1d7434ac0 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/constraint.yaml @@ -0,0 +1,11 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPProcMount +metadata: + name: psp-proc-mount +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + procMount: Default diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/disallowed_ephemeral.yaml new file mode 100644 index 000000000..4be38f45d --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/disallowed_ephemeral.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + procMount: Unmasked #Default diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_allowed.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_allowed.yaml new file mode 100644 index 000000000..c9b13ac71 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount +spec: + containers: + - name: nginx + image: nginx + securityContext: + procMount: Default diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_disallowed.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_disallowed.yaml new file mode 100644 index 000000000..403c7cb2a --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount +spec: + containers: + - name: nginx + image: nginx + securityContext: + procMount: Unmasked #Default diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml new file mode 100644 index 000000000..26dd5eb0a --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: proc-mount +tests: +- name: default-proc-mount-required + template: template.yaml + constraint: samples/psp-proc-mount/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-proc-mount/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-proc-mount/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-proc-mount/disallowed_ephemeral.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml new file mode 100644 index 000000000..93423ed2d --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml @@ -0,0 +1,140 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspprocmount + annotations: + metadata.gatekeeper.sh/title: "Proc Mount" + metadata.gatekeeper.sh/version: 1.0.2 + description: >- + Controls the allowed `procMount` types for the container. Corresponds to + the `allowedProcMountTypes` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes +spec: + crd: + spec: + names: + kind: K8sPSPProcMount + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls the allowed `procMount` types for the container. Corresponds to + the `allowedProcMountTypes` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + procMount: + type: string + description: >- + Defines the strategy for the security exposure of certain paths + in `/proc` by the container runtime. Setting to `Default` uses + the runtime defaults, where `Unmasked` bypasses the default + behavior. + enum: + - Default + - Unmasked + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspprocmount + + import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.procMount field is immutable. + not is_update_or_patch(input.review) + + c := input_containers[_] + not is_exempt(c) + allowedProcMount := get_allowed_proc_mount(input) + not input_proc_mount_type_allowed(allowedProcMount, c) + msg := sprintf("ProcMount type is not allowed, container: %v. Allowed procMount types: %v", [c.name, allowedProcMount]) + } + + input_proc_mount_type_allowed(allowedProcMount, c) { + allowedProcMount == "default" + lower(c.securityContext.procMount) == "default" + } + input_proc_mount_type_allowed(allowedProcMount, c) { + allowedProcMount == "unmasked" + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + c.securityContext.procMount + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + c.securityContext.procMount + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + c.securityContext.procMount + } + + get_allowed_proc_mount(arg) = out { + not arg.parameters + out = "default" + } + get_allowed_proc_mount(arg) = out { + not arg.parameters.procMount + out = "default" + } + get_allowed_proc_mount(arg) = out { + arg.parameters.procMount + not valid_proc_mount(arg.parameters.procMount) + out = "default" + } + get_allowed_proc_mount(arg) = out { + valid_proc_mount(arg.parameters.procMount) + out = lower(arg.parameters.procMount) + } + + valid_proc_mount(str) { + lower(str) == "default" + } + valid_proc_mount(str) { + lower(str) == "unmasked" + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..ddd7ab308 --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspreadonlyrootfilesystem +displayName: Read Only Root Filesystem +createdAt: "2023-05-23T09:47:31Z" +description: Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +digest: c5191ecc692cff6ebe63895c42278e84be63e6f2e247d1ef68351ff54ec4383b +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/read-only-root-filesystem +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Read Only Root Filesystem + Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/constraint.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/constraint.yaml new file mode 100644 index 000000000..66d6bdabe --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/constraint.yaml @@ -0,0 +1,9 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPReadOnlyRootFilesystem +metadata: + name: psp-readonlyrootfilesystem +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml new file mode 100644 index 000000000..d0ce2c4dc --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml new file mode 100644 index 000000000..9c96bd18c --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-allowed + labels: + app: nginx-readonlyrootfilesystem +spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: true diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml new file mode 100644 index 000000000..7571bfd9f --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem +spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml new file mode 100644 index 000000000..4df3de82f --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: read-only-root-filesystem +tests: +- name: require-read-only-root-filesystem + template: template.yaml + constraint: samples/psp-readonlyrootfilesystem/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-readonlyrootfilesystem/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-readonlyrootfilesystem/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml new file mode 100644 index 000000000..eb4d2af5b --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml @@ -0,0 +1,105 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspreadonlyrootfilesystem + annotations: + metadata.gatekeeper.sh/title: "Read Only Root Filesystem" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Requires the use of a read-only root file system by pod containers. + Corresponds to the `readOnlyRootFilesystem` field in a + PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +spec: + crd: + spec: + names: + kind: K8sPSPReadOnlyRootFilesystem + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Requires the use of a read-only root file system by pod containers. + Corresponds to the `readOnlyRootFilesystem` field in a + PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspreadonlyrootfilesystem + + import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.containers.readOnlyRootFilesystem field is immutable. + not is_update_or_patch(input.review) + + c := input_containers[_] + not is_exempt(c) + input_read_only_root_fs(c) + msg := sprintf("only read-only root filesystem container is allowed: %v", [c.name]) + } + + input_read_only_root_fs(c) { + not has_field(c, "securityContext") + } + input_read_only_root_fs(c) { + not c.securityContext.readOnlyRootFilesystem == true + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..478308853 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspselinuxv2 +displayName: SELinux V2 +createdAt: "2023-05-23T09:47:32Z" +description: Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux +digest: c1fbd389373b80528df8f78ea09ab73639eca30fc9bcfdd2ac744e00e83f580f +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/selinux +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # SELinux V2 + Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/constraint.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/constraint.yaml new file mode 100644 index 000000000..f88bbcd69 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPSELinuxV2 +metadata: + name: psp-selinux-v2 +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + allowedSELinuxOptions: + - level: s0:c123,c456 + role: object_r + type: svirt_sandbox_file_t + user: system_u diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/disallowed_ephemeral.yaml new file mode 100644 index 000000000..3a35fc737 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/disallowed_ephemeral.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-selinux-disallowed + labels: + app: nginx-selinux +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s1:c234,c567 + user: sysadm_u + role: sysadm_r + type: svirt_lxc_net_t diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_allowed.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_allowed.yaml new file mode 100644 index 000000000..4eaf2dc92 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_allowed.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-selinux-allowed + labels: + app: nginx-selinux +spec: + containers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s0:c123,c456 + role: object_r + type: svirt_sandbox_file_t + user: system_u diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_disallowed.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_disallowed.yaml new file mode 100644 index 000000000..7eb7fee11 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_disallowed.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-selinux-disallowed + labels: + app: nginx-selinux +spec: + containers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s1:c234,c567 + user: sysadm_u + role: sysadm_r + type: svirt_lxc_net_t diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml new file mode 100644 index 000000000..f35a2f6a7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: selinux +tests: +- name: require-matching-selinux-options + template: template.yaml + constraint: samples/psp-selinux-v2/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-selinux-v2/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-selinux-v2/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-selinux-v2/disallowed_ephemeral.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml new file mode 100644 index 000000000..eb88ff6e1 --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml @@ -0,0 +1,146 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspselinuxv2 + annotations: + metadata.gatekeeper.sh/title: "SELinux V2" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Defines an allow-list of seLinuxOptions configurations for pod + containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. + For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux +spec: + crd: + spec: + names: + kind: K8sPSPSELinuxV2 + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Defines an allow-list of seLinuxOptions configurations for pod + containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. + For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + allowedSELinuxOptions: + type: array + description: "An allow-list of SELinux options configurations." + items: + type: object + description: "An allowed configuration of SELinux options for a pod container." + properties: + level: + type: string + description: "An SELinux level." + role: + type: string + description: "An SELinux role." + type: + type: string + description: "An SELinux type." + user: + type: string + description: "An SELinux user." + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspselinux + + import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exempt_container.is_exempt + + # Disallow top level custom SELinux options + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.seLinuxOptions field is immutable. + not is_update_or_patch(input.review) + + has_field(input.review.object.spec.securityContext, "seLinuxOptions") + not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) + msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions]) + } + # Disallow container level custom SELinux options + violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.seLinuxOptions field is immutable. + not is_update_or_patch(input.review) + + c := input_security_context[_] + not is_exempt(c) + has_field(c.securityContext, "seLinuxOptions") + not input_seLinuxOptions_allowed(c.securityContext.seLinuxOptions) + msg := sprintf("SELinux options is not allowed, pod: %v, container %v. Allowed options: %v", [input.review.object.metadata.name, c.name, input.parameters.allowedSELinuxOptions]) + } + + input_seLinuxOptions_allowed(options) { + params := input.parameters.allowedSELinuxOptions[_] + field_allowed("level", options, params) + field_allowed("role", options, params) + field_allowed("type", options, params) + field_allowed("user", options, params) + } + + field_allowed(field, options, params) { + params[field] == options[field] + } + field_allowed(field, options, params) { + not has_field(options, field) + } + + input_security_context[c] { + c := input.review.object.spec.containers[_] + has_field(c.securityContext, "seLinuxOptions") + } + input_security_context[c] { + c := input.review.object.spec.initContainers[_] + has_field(c.securityContext, "seLinuxOptions") + } + input_security_context[c] { + c := input.review.object.spec.ephemeralContainers[_] + has_field(c.securityContext, "seLinuxOptions") + } + + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..ab9c90eb0 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspallowedusers +displayName: Allowed Users +createdAt: "2023-05-23T09:47:32Z" +description: Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups +digest: b71aa38e9296583dd38400b79677e0436e689331ea807325f69b0693acb81d67 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/users +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Allowed Users + Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/constraint.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/constraint.yaml new file mode 100644 index 000000000..e69974578 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/constraint.yaml @@ -0,0 +1,30 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPAllowedUsers +metadata: + name: psp-pods-allowed-user-ranges +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + runAsUser: + rule: MustRunAs # MustRunAsNonRoot # RunAsAny + ranges: + - min: 100 + max: 200 + runAsGroup: + rule: MustRunAs # MayRunAs # RunAsAny + ranges: + - min: 100 + max: 200 + supplementalGroups: + rule: MustRunAs # MayRunAs # RunAsAny + ranges: + - min: 100 + max: 200 + fsGroup: + rule: MustRunAs # MayRunAs # RunAsAny + ranges: + - min: 100 + max: 200 diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml new file mode 100644 index 000000000..6297f0dfd --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-users-disallowed + labels: + app: nginx-users +spec: + securityContext: + supplementalGroups: + - 250 + fsGroup: 250 + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + runAsUser: 250 + runAsGroup: 250 diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_allowed.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_allowed.yaml new file mode 100644 index 000000000..79899ed98 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_allowed.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-users-allowed + labels: + app: nginx-users +spec: + securityContext: + supplementalGroups: + - 199 + fsGroup: 199 + containers: + - name: nginx + image: nginx + securityContext: + runAsUser: 199 + runAsGroup: 199 diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_disallowed.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_disallowed.yaml new file mode 100644 index 000000000..516cce14b --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_disallowed.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-users-disallowed + labels: + app: nginx-users +spec: + securityContext: + supplementalGroups: + - 250 + fsGroup: 250 + containers: + - name: nginx + image: nginx + securityContext: + runAsUser: 250 + runAsGroup: 250 diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml new file mode 100644 index 000000000..20528f68c --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: users +tests: +- name: users-and-groups-together + template: template.yaml + constraint: samples/psp-pods-allowed-user-ranges/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-pods-allowed-user-ranges/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-pods-allowed-user-ranges/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml new file mode 100644 index 000000000..31bfdb163 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml @@ -0,0 +1,294 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspallowedusers + annotations: + metadata.gatekeeper.sh/title: "Allowed Users" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Controls the user and group IDs of the container and some volumes. + Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and + `fsGroup` fields in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups +spec: + crd: + spec: + names: + kind: K8sPSPAllowedUsers + validation: + openAPIV3Schema: + type: object + description: >- + Controls the user and group IDs of the container and some volumes. + Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and + `fsGroup` fields in a PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + runAsUser: + type: object + description: "Controls which user ID values are allowed in a Pod or container-level SecurityContext." + properties: + rule: + type: string + description: "A strategy for applying the runAsUser restriction." + enum: + - MustRunAs + - MustRunAsNonRoot + - RunAsAny + ranges: + type: array + description: "A list of user ID ranges affected by the rule." + items: + type: object + description: "The range of user IDs affected by the rule." + properties: + min: + type: integer + description: "The minimum user ID in the range, inclusive." + max: + type: integer + description: "The maximum user ID in the range, inclusive." + runAsGroup: + type: object + description: "Controls which group ID values are allowed in a Pod or container-level SecurityContext." + properties: + rule: + type: string + description: "A strategy for applying the runAsGroup restriction." + enum: + - MustRunAs + - MayRunAs + - RunAsAny + ranges: + type: array + description: "A list of group ID ranges affected by the rule." + items: + type: object + description: "The range of group IDs affected by the rule." + properties: + min: + type: integer + description: "The minimum group ID in the range, inclusive." + max: + type: integer + description: "The maximum group ID in the range, inclusive." + supplementalGroups: + type: object + description: "Controls the supplementalGroups values that are allowed in a Pod or container-level SecurityContext." + properties: + rule: + type: string + description: "A strategy for applying the supplementalGroups restriction." + enum: + - MustRunAs + - MayRunAs + - RunAsAny + ranges: + type: array + description: "A list of group ID ranges affected by the rule." + items: + type: object + description: "The range of group IDs affected by the rule." + properties: + min: + type: integer + description: "The minimum group ID in the range, inclusive." + max: + type: integer + description: "The maximum group ID in the range, inclusive." + fsGroup: + type: object + description: "Controls the fsGroup values that are allowed in a Pod or container-level SecurityContext." + properties: + rule: + type: string + description: "A strategy for applying the fsGroup restriction." + enum: + - MustRunAs + - MayRunAs + - RunAsAny + ranges: + type: array + description: "A list of group ID ranges affected by the rule." + items: + type: object + description: "The range of group IDs affected by the rule." + properties: + min: + type: integer + description: "The minimum group ID in the range, inclusive." + max: + type: integer + description: "The maximum group ID in the range, inclusive." + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspallowedusers + + import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg}] { + # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. + not is_update_or_patch(input.review) + + fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] + field := fields[_] + container := input_containers[_] + not is_exempt(container) + msg := get_type_violation(field, container) + } + + get_type_violation(field, container) = msg { + field == "runAsUser" + params := input.parameters[field] + msg := get_user_violation(params, container) + } + + get_type_violation(field, container) = msg { + field != "runAsUser" + params := input.parameters[field] + msg := get_violation(field, params, container) + } + + # RunAsUser (separate due to "MustRunAsNonRoot") + get_user_violation(params, container) = msg { + rule := params.rule + provided_user := get_field_value("runAsUser", container, input.review) + not accept_users(rule, provided_user) + msg := sprintf("Container %v is attempting to run as disallowed user %v. Allowed runAsUser: %v", [container.name, provided_user, params]) + } + + get_user_violation(params, container) = msg { + not get_field_value("runAsUser", container, input.review) + params.rule = "MustRunAs" + msg := sprintf("Container %v is attempting to run without a required securityContext/runAsUser", [container.name]) + } + + get_user_violation(params, container) = msg { + params.rule = "MustRunAsNonRoot" + not get_field_value("runAsUser", container, input.review) + not get_field_value("runAsNonRoot", container, input.review) + msg := sprintf("Container %v is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", [container.name]) + } + + accept_users("RunAsAny", provided_user) {true} + + accept_users("MustRunAsNonRoot", provided_user) = res {res := provided_user != 0} + + accept_users("MustRunAs", provided_user) = res { + ranges := input.parameters.runAsUser.ranges + res := is_in_range(provided_user, ranges) + } + + # Group Options + get_violation(field, params, container) = msg { + rule := params.rule + provided_value := get_field_value(field, container, input.review) + not is_array(provided_value) + not accept_value(rule, provided_value, params.ranges) + msg := sprintf("Container %v is attempting to run as disallowed group %v. Allowed %v: %v", [container.name, provided_value, field, params]) + } + # SupplementalGroups is array value + get_violation(field, params, container) = msg { + rule := params.rule + array_value := get_field_value(field, container, input.review) + is_array(array_value) + provided_value := array_value[_] + not accept_value(rule, provided_value, params.ranges) + msg := sprintf("Container %v is attempting to run with disallowed supplementalGroups %v. Allowed %v: %v", [container.name, array_value, field, params]) + } + + get_violation(field, params, container) = msg { + not get_field_value(field, container, input.review) + params.rule == "MustRunAs" + msg := sprintf("Container %v is attempting to run without a required securityContext/%v. Allowed %v: %v", [container.name, field, field, params]) + } + + accept_value("RunAsAny", provided_value, ranges) {true} + + accept_value("MayRunAs", provided_value, ranges) = res { res := is_in_range(provided_value, ranges)} + + accept_value("MustRunAs", provided_value, ranges) = res { res := is_in_range(provided_value, ranges)} + + + # If container level is provided, that takes precedence + get_field_value(field, container, review) = out { + container_value := get_seccontext_field(field, container) + out := container_value + } + + # If no container level exists, use pod level + get_field_value(field, container, review) = out { + not has_seccontext_field(field, container) + review.kind.kind == "Pod" + pod_value := get_seccontext_field(field, review.object.spec) + out := pod_value + } + + # Helper Functions + is_in_range(val, ranges) = res { + matching := {1 | val >= ranges[j].min; val <= ranges[j].max} + res := count(matching) > 0 + } + + has_seccontext_field(field, obj) { + get_seccontext_field(field, obj) + } + + has_seccontext_field(field, obj) { + get_seccontext_field(field, obj) == false + } + + get_seccontext_field(field, obj) = out { + out = obj.securityContext[field] + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml new file mode 100644 index 000000000..cdb3626d1 --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.1 +name: k8spspvolumetypes +displayName: Volume Types +createdAt: "2023-05-23T09:47:32Z" +description: Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +digest: 9e0fbef9b1bca39d7407759e39b4595a39fdf24dbd41b1a1eb5d5a93edc5c05a +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/volumes +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Volume Types + Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/constraint.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/constraint.yaml new file mode 100644 index 000000000..0638df7cb --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/constraint.yaml @@ -0,0 +1,20 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPVolumeTypes +metadata: + name: psp-volume-types +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + volumes: + # - "*" # * may be used to allow all volume types + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim + #- hostPath #required for allowedHostPaths + - flexVolume #required for allowedFlexVolumes diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_allowed.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_allowed.yaml new file mode 100644 index 000000000..df6251e7d --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_allowed.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-volume-types-allowed + labels: + app: nginx-volume-types +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + - name: nginx2 + image: nginx + volumeMounts: + - mountPath: /cache2 + name: demo-vol + volumes: + - name: cache-volume + emptyDir: {} + - name: demo-vol + emptyDir: {} diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_disallowed.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_disallowed.yaml new file mode 100644 index 000000000..562cf59d8 --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_disallowed.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-volume-types-disallowed + labels: + app: nginx-volume-types +spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + - name: nginx2 + image: nginx + volumeMounts: + - mountPath: /cache2 + name: demo-vol + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host + - name: demo-vol + emptyDir: {} diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml new file mode 100644 index 000000000..b8f91b5a4 --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml @@ -0,0 +1,17 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: volumes +tests: +- name: host-path-disallowed + template: template.yaml + constraint: samples/psp-volume-types/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-volume-types/example_disallowed.yaml + assertions: + - violations: yes + - name: example-allowed + object: samples/psp-volume-types/example_allowed.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml new file mode 100644 index 000000000..7b4c231a0 --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml @@ -0,0 +1,66 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspvolumetypes + annotations: + metadata.gatekeeper.sh/title: "Volume Types" + metadata.gatekeeper.sh/version: 1.0.1 + description: >- + Restricts mountable volume types to those specified by the user. + Corresponds to the `volumes` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +spec: + crd: + spec: + names: + kind: K8sPSPVolumeTypes + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Restricts mountable volume types to those specified by the user. + Corresponds to the `volumes` field in a PodSecurityPolicy. For more + information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + properties: + volumes: + description: "`volumes` is an array of volume types. All volume types can be enabled using `*`." + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8spspvolumetypes + + import data.lib.exclude_update_patch.is_update_or_patch + + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + + volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} + field := volume_fields[_] + not input_volume_type_allowed(field) + msg := sprintf("The volume type %v is not allowed, pod: %v. Allowed volume types: %v", [field, input.review.object.metadata.name, input.parameters.volumes]) + } + + # * may be used to allow all volume types + input_volume_type_allowed(field) { + input.parameters.volumes[_] == "*" + } + + input_volume_type_allowed(field) { + field == input.parameters.volumes[_] + } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/library/general/automount-serviceaccount-token/template.yaml b/library/general/automount-serviceaccount-token/template.yaml index c9f87c42f..ee1f2561d 100644 --- a/library/general/automount-serviceaccount-token/template.yaml +++ b/library/general/automount-serviceaccount-token/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspautomountserviceaccounttokenpod annotations: metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any Pod to enable automountServiceAccountToken. spec: @@ -22,7 +22,12 @@ spec: rego: | package k8sautomountserviceaccounttoken + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg}] { + # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. + not is_update_or_patch(input.review) + obj := input.review.object mountServiceAccountToken(obj.spec) msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name]) @@ -52,3 +57,12 @@ spec: has_key(x, k) { _ = x[k] } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/library/general/ephemeralstoragelimit/template.yaml b/library/general/ephemeralstoragelimit/template.yaml index 5362e5ffd..be528d759 100644 --- a/library/general/ephemeralstoragelimit/template.yaml +++ b/library/general/ephemeralstoragelimit/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8scontainerephemeralstoragelimit annotations: metadata.gatekeeper.sh/title: "Container ephemeral storage limit" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. @@ -38,6 +38,7 @@ spec: rego: | package k8scontainerephemeralstoragelimit + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt missing(obj, field) = true { @@ -150,10 +151,14 @@ spec: } violation[{"msg": msg}] { + # spec.containers.resources.limits["ephemeral-storage"] field is immutable. + not is_update_or_patch(input.review) + general_violation[{"msg": msg, "field": "containers"}] } violation[{"msg": msg}] { + not is_update_or_patch(input.review) general_violation[{"msg": msg, "field": "initContainers"}] } @@ -199,6 +204,14 @@ spec: msg := sprintf("container <%v> ephemeral-storage limit <%v> is higher than the maximum allowed of <%v>", [container.name, storage_orig, max_storage_orig]) } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/library/general/requiredprobes/template.yaml b/library/general/requiredprobes/template.yaml index 26417b101..fc84f63dc 100644 --- a/library/general/requiredprobes/template.yaml +++ b/library/general/requiredprobes/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8srequiredprobes annotations: metadata.gatekeeper.sh/title: "Required Probes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: Requires Pods to have readiness and/or liveness probes. spec: crd: @@ -30,11 +30,16 @@ spec: rego: | package k8srequiredprobes + import data.lib.exclude_update_patch.is_update_or_patch + probe_type_set = probe_types { probe_types := {type | type := input.parameters.probeTypes[_]} } violation[{"msg": msg}] { + # Probe fields are immutable. + not is_update_or_patch(input.review) + container := input.review.object.spec.containers[_] probe := input.parameters.probes[_] probe_is_missing(container, probe) @@ -58,3 +63,12 @@ spec: get_violation_message(container, review, probe) = msg { msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe]) } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/library/pod-security-policy/allow-privilege-escalation/template.yaml b/library/pod-security-policy/allow-privilege-escalation/template.yaml index c473e2731..5fb7c57d5 100644 --- a/library/pod-security-policy/allow-privilege-escalation/template.yaml +++ b/library/pod-security-policy/allow-privilege-escalation/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspallowprivilegeescalationcontainer annotations: metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more @@ -39,9 +39,13 @@ spec: rego: | package k8spspallowprivilegeescalationcontainer + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) input_allow_privilege_escalation(c) @@ -68,6 +72,14 @@ spec: object[field] } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/library/pod-security-policy/capabilities/template.yaml b/library/pod-security-policy/capabilities/template.yaml index f645e3765..55b2f8491 100644 --- a/library/pod-security-policy/capabilities/template.yaml +++ b/library/pod-security-policy/capabilities/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspcapabilities annotations: metadata.gatekeeper.sh/title: "Capabilities" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a @@ -50,9 +50,13 @@ spec: rego: | package capabilities + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # spec.containers.securityContext.capabilities field is immutable. + not is_update_or_patch(input.review) + container := input.review.object.spec.containers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -60,6 +64,7 @@ spec: } violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -69,6 +74,7 @@ spec: violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -76,6 +82,7 @@ spec: } violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -85,6 +92,7 @@ spec: violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -92,6 +100,7 @@ spec: } violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -126,6 +135,14 @@ spec: out = _default } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/library/pod-security-policy/flexvolume-drivers/template.yaml b/library/pod-security-policy/flexvolume-drivers/template.yaml index 7cb53e11f..cdf77aad0 100644 --- a/library/pod-security-policy/flexvolume-drivers/template.yaml +++ b/library/pod-security-policy/flexvolume-drivers/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspflexvolumes annotations: metadata.gatekeeper.sh/title: "FlexVolumes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, @@ -39,7 +39,12 @@ spec: rego: | package k8spspflexvolumes + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + volume := input_flexvolumes[_] not input_flexvolumes_allowed(volume) msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes]) @@ -58,3 +63,12 @@ spec: has_field(object, field) = true { object[field] } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/library/pod-security-policy/forbidden-sysctls/template.yaml b/library/pod-security-policy/forbidden-sysctls/template.yaml index 1e6ee7f25..8f6dd1e07 100644 --- a/library/pod-security-policy/forbidden-sysctls/template.yaml +++ b/library/pod-security-policy/forbidden-sysctls/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspforbiddensysctls annotations: metadata.gatekeeper.sh/title: "Forbidden Sysctls" - metadata.gatekeeper.sh/version: 1.1.1 + metadata.gatekeeper.sh/version: 1.1.2 description: >- Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. @@ -42,8 +42,13 @@ spec: rego: | package k8spspforbiddensysctls + import data.lib.exclude_update_patch.is_update_or_patch + # Block if forbidden violation[{"msg": msg, "details": {}}] { + # spec.securityContext.sysctls field is immutable. + not is_update_or_patch(input.review) + sysctl := input.review.object.spec.securityContext.sysctls[_].name forbidden_sysctl(sysctl) msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) @@ -51,6 +56,7 @@ spec: # Block if not explicitly allowed violation[{"msg": msg, "details": {}}] { + not is_update_or_patch(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) @@ -85,3 +91,12 @@ spec: endswith(allowed, "*") startswith(sysctl, trim_suffix(allowed, "*")) } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/library/pod-security-policy/fsgroup/template.yaml b/library/pod-security-policy/fsgroup/template.yaml index 0839855e2..006d8eb6e 100644 --- a/library/pod-security-policy/fsgroup/template.yaml +++ b/library/pod-security-policy/fsgroup/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspfsgroup annotations: metadata.gatekeeper.sh/title: "FS Group" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see @@ -47,7 +47,12 @@ spec: rego: | package k8spspfsgroup + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.fsGroup field is immutable. + not is_update_or_patch(input.review) + spec := input.review.object.spec not input_fsGroup_allowed(spec) msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) @@ -91,3 +96,12 @@ spec: has_field(object, field) = true { object[field] } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/library/pod-security-policy/host-filesystem/template.yaml b/library/pod-security-policy/host-filesystem/template.yaml index c61305e91..b8d935369 100644 --- a/library/pod-security-policy/host-filesystem/template.yaml +++ b/library/pod-security-policy/host-filesystem/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spsphostfilesystem annotations: metadata.gatekeeper.sh/title: "Host Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, @@ -42,7 +42,12 @@ spec: rego: | package k8spsphostfilesystem + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + volume := input_hostpath_volumes[_] allowedPaths := get_allowed_paths(input) input_hostpath_violation(allowedPaths, volume) @@ -134,3 +139,12 @@ spec: input_containers[c] { c := input.review.object.spec.ephemeralContainers[_] } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/library/pod-security-policy/host-namespaces/template.yaml b/library/pod-security-policy/host-namespaces/template.yaml index 0f84e3481..784112b39 100644 --- a/library/pod-security-policy/host-namespaces/template.yaml +++ b/library/pod-security-policy/host-namespaces/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spsphostnamespace annotations: metadata.gatekeeper.sh/title: "Host Namespace" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. @@ -29,7 +29,12 @@ spec: rego: | package k8spsphostnamespace + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update_or_patch(input.review) + input_share_hostnamespace(input.review.object) msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) } @@ -40,3 +45,12 @@ spec: input_share_hostnamespace(o) { o.spec.hostIPC } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/library/pod-security-policy/host-network-ports/template.yaml b/library/pod-security-policy/host-network-ports/template.yaml index 12cbe960e..e5d830061 100644 --- a/library/pod-security-policy/host-network-ports/template.yaml +++ b/library/pod-security-policy/host-network-ports/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spsphostnetworkingports annotations: metadata.gatekeeper.sh/title: "Host Networking Ports" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and @@ -49,9 +49,13 @@ spec: rego: | package k8spsphostnetworkingports + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.hostNetwork field is immutable. + not is_update_or_patch(input.review) + input_share_hostnetwork(input.review.object) msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) } @@ -86,6 +90,14 @@ spec: not is_exempt(c) } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/library/pod-security-policy/privileged-containers/template.yaml b/library/pod-security-policy/privileged-containers/template.yaml index e1434ebdd..f143a492b 100644 --- a/library/pod-security-policy/privileged-containers/template.yaml +++ b/library/pod-security-policy/privileged-containers/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspprivilegedcontainer annotations: metadata.gatekeeper.sh/title: "Privileged Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more @@ -39,9 +39,13 @@ spec: rego: | package k8spspprivileged + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.privileged field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) c.securityContext.privileged @@ -60,6 +64,14 @@ spec: c := input.review.object.spec.ephemeralContainers[_] } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/library/pod-security-policy/proc-mount/template.yaml b/library/pod-security-policy/proc-mount/template.yaml index 1f238a7d3..93423ed2d 100644 --- a/library/pod-security-policy/proc-mount/template.yaml +++ b/library/pod-security-policy/proc-mount/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspprocmount annotations: metadata.gatekeeper.sh/title: "Proc Mount" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.0.2 description: >- Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more @@ -50,9 +50,13 @@ spec: rego: | package k8spspprocmount + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.procMount field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) allowedProcMount := get_allowed_proc_mount(input) @@ -106,6 +110,14 @@ spec: lower(str) == "unmasked" } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/library/pod-security-policy/read-only-root-filesystem/template.yaml b/library/pod-security-policy/read-only-root-filesystem/template.yaml index a98ab0094..eb4d2af5b 100644 --- a/library/pod-security-policy/read-only-root-filesystem/template.yaml +++ b/library/pod-security-policy/read-only-root-filesystem/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspreadonlyrootfilesystem annotations: metadata.gatekeeper.sh/title: "Read Only Root Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a @@ -40,9 +40,13 @@ spec: rego: | package k8spspreadonlyrootfilesystem + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.readOnlyRootFilesystem field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) input_read_only_root_fs(c) @@ -71,6 +75,14 @@ spec: object[field] } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/library/pod-security-policy/selinux/template.yaml b/library/pod-security-policy/selinux/template.yaml index fff3cda75..eb88ff6e1 100644 --- a/library/pod-security-policy/selinux/template.yaml +++ b/library/pod-security-policy/selinux/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspselinuxv2 annotations: metadata.gatekeeper.sh/title: "SELinux V2" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. @@ -59,16 +59,23 @@ spec: rego: | package k8spspselinux + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt # Disallow top level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.securityContext.seLinuxOptions field is immutable. + not is_update_or_patch(input.review) + has_field(input.review.object.spec.securityContext, "seLinuxOptions") not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions]) } # Disallow container level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.seLinuxOptions field is immutable. + not is_update_or_patch(input.review) + c := input_security_context[_] not is_exempt(c) has_field(c.securityContext, "seLinuxOptions") @@ -109,6 +116,14 @@ spec: object[field] } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/library/pod-security-policy/users/template.yaml b/library/pod-security-policy/users/template.yaml index 0d22f23bf..31bfdb163 100644 --- a/library/pod-security-policy/users/template.yaml +++ b/library/pod-security-policy/users/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspallowedusers annotations: metadata.gatekeeper.sh/title: "Allowed Users" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and @@ -135,9 +135,13 @@ spec: rego: | package k8spspallowedusers + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. + not is_update_or_patch(input.review) + fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] field := fields[_] container := input_containers[_] @@ -260,6 +264,14 @@ spec: c := input.review.object.spec.ephemeralContainers[_] } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/library/pod-security-policy/volumes/template.yaml b/library/pod-security-policy/volumes/template.yaml index 53f634632..7b4c231a0 100644 --- a/library/pod-security-policy/volumes/template.yaml +++ b/library/pod-security-policy/volumes/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspvolumetypes annotations: metadata.gatekeeper.sh/title: "Volume Types" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more @@ -35,7 +35,12 @@ spec: rego: | package k8spspvolumetypes + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} field := volume_fields[_] not input_volume_type_allowed(field) @@ -50,3 +55,12 @@ spec: input_volume_type_allowed(field) { field == input.parameters.volumes[_] } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } diff --git a/website/docs/validation/allow-privilege-escalation.md b/website/docs/validation/allow-privilege-escalation.md index 8645cdaa8..895776177 100644 --- a/website/docs/validation/allow-privilege-escalation.md +++ b/website/docs/validation/allow-privilege-escalation.md @@ -16,7 +16,7 @@ metadata: name: k8spspallowprivilegeescalationcontainer annotations: metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more @@ -51,9 +51,13 @@ spec: rego: | package k8spspallowprivilegeescalationcontainer + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) input_allow_privilege_escalation(c) @@ -80,6 +84,14 @@ spec: object[field] } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/website/docs/validation/automount-serviceaccount-token.md b/website/docs/validation/automount-serviceaccount-token.md index 7dddd7477..0d213ff55 100644 --- a/website/docs/validation/automount-serviceaccount-token.md +++ b/website/docs/validation/automount-serviceaccount-token.md @@ -16,7 +16,7 @@ metadata: name: k8spspautomountserviceaccounttokenpod annotations: metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any Pod to enable automountServiceAccountToken. spec: @@ -34,7 +34,12 @@ spec: rego: | package k8sautomountserviceaccounttoken + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg}] { + # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. + not is_update_or_patch(input.review) + obj := input.review.object mountServiceAccountToken(obj.spec) msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name]) @@ -64,6 +69,15 @@ spec: has_key(x, k) { _ = x[k] } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } ``` diff --git a/website/docs/validation/capabilities.md b/website/docs/validation/capabilities.md index e717bccca..648098623 100644 --- a/website/docs/validation/capabilities.md +++ b/website/docs/validation/capabilities.md @@ -16,7 +16,7 @@ metadata: name: k8spspcapabilities annotations: metadata.gatekeeper.sh/title: "Capabilities" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a @@ -62,9 +62,13 @@ spec: rego: | package capabilities + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # spec.containers.securityContext.capabilities field is immutable. + not is_update_or_patch(input.review) + container := input.review.object.spec.containers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -72,6 +76,7 @@ spec: } violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -81,6 +86,7 @@ spec: violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -88,6 +94,7 @@ spec: } violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -97,6 +104,7 @@ spec: violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -104,6 +112,7 @@ spec: } violation[{"msg": msg}] { + not is_update_or_patch(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -138,6 +147,14 @@ spec: out = _default } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/website/docs/validation/ephemeralstoragelimit.md b/website/docs/validation/ephemeralstoragelimit.md index 1042c4fcb..e757231fb 100644 --- a/website/docs/validation/ephemeralstoragelimit.md +++ b/website/docs/validation/ephemeralstoragelimit.md @@ -17,7 +17,7 @@ metadata: name: k8scontainerephemeralstoragelimit annotations: metadata.gatekeeper.sh/title: "Container ephemeral storage limit" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. @@ -51,6 +51,7 @@ spec: rego: | package k8scontainerephemeralstoragelimit + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt missing(obj, field) = true { @@ -163,10 +164,14 @@ spec: } violation[{"msg": msg}] { + # spec.containers.resources.limits["ephemeral-storage"] field is immutable. + not is_update_or_patch(input.review) + general_violation[{"msg": msg, "field": "containers"}] } violation[{"msg": msg}] { + not is_update_or_patch(input.review) general_violation[{"msg": msg, "field": "initContainers"}] } @@ -212,6 +217,14 @@ spec: msg := sprintf("container <%v> ephemeral-storage limit <%v> is higher than the maximum allowed of <%v>", [container.name, storage_orig, max_storage_orig]) } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/website/docs/validation/flexvolume-drivers.md b/website/docs/validation/flexvolume-drivers.md index 3049852ab..f279a60e9 100644 --- a/website/docs/validation/flexvolume-drivers.md +++ b/website/docs/validation/flexvolume-drivers.md @@ -16,7 +16,7 @@ metadata: name: k8spspflexvolumes annotations: metadata.gatekeeper.sh/title: "FlexVolumes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, @@ -51,7 +51,12 @@ spec: rego: | package k8spspflexvolumes + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + volume := input_flexvolumes[_] not input_flexvolumes_allowed(volume) msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes]) @@ -70,6 +75,15 @@ spec: has_field(object, field) = true { object[field] } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } ``` diff --git a/website/docs/validation/forbidden-sysctls.md b/website/docs/validation/forbidden-sysctls.md index 2cb1a25f4..8db297830 100644 --- a/website/docs/validation/forbidden-sysctls.md +++ b/website/docs/validation/forbidden-sysctls.md @@ -16,7 +16,7 @@ metadata: name: k8spspforbiddensysctls annotations: metadata.gatekeeper.sh/title: "Forbidden Sysctls" - metadata.gatekeeper.sh/version: 1.1.1 + metadata.gatekeeper.sh/version: 1.1.2 description: >- Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. @@ -54,8 +54,13 @@ spec: rego: | package k8spspforbiddensysctls + import data.lib.exclude_update_patch.is_update_or_patch + # Block if forbidden violation[{"msg": msg, "details": {}}] { + # spec.securityContext.sysctls field is immutable. + not is_update_or_patch(input.review) + sysctl := input.review.object.spec.securityContext.sysctls[_].name forbidden_sysctl(sysctl) msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) @@ -63,6 +68,7 @@ spec: # Block if not explicitly allowed violation[{"msg": msg, "details": {}}] { + not is_update_or_patch(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) @@ -97,6 +103,15 @@ spec: endswith(allowed, "*") startswith(sysctl, trim_suffix(allowed, "*")) } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } ``` diff --git a/website/docs/validation/fsgroup.md b/website/docs/validation/fsgroup.md index 9e99d2362..08eca2db4 100644 --- a/website/docs/validation/fsgroup.md +++ b/website/docs/validation/fsgroup.md @@ -16,7 +16,7 @@ metadata: name: k8spspfsgroup annotations: metadata.gatekeeper.sh/title: "FS Group" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see @@ -59,7 +59,12 @@ spec: rego: | package k8spspfsgroup + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.fsGroup field is immutable. + not is_update_or_patch(input.review) + spec := input.review.object.spec not input_fsGroup_allowed(spec) msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) @@ -103,6 +108,15 @@ spec: has_field(object, field) = true { object[field] } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } ``` diff --git a/website/docs/validation/host-filesystem.md b/website/docs/validation/host-filesystem.md index f1f407799..0a8a104f4 100644 --- a/website/docs/validation/host-filesystem.md +++ b/website/docs/validation/host-filesystem.md @@ -16,7 +16,7 @@ metadata: name: k8spsphostfilesystem annotations: metadata.gatekeeper.sh/title: "Host Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, @@ -54,7 +54,12 @@ spec: rego: | package k8spsphostfilesystem + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + volume := input_hostpath_volumes[_] allowedPaths := get_allowed_paths(input) input_hostpath_violation(allowedPaths, volume) @@ -146,6 +151,15 @@ spec: input_containers[c] { c := input.review.object.spec.ephemeralContainers[_] } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } ``` diff --git a/website/docs/validation/host-namespaces.md b/website/docs/validation/host-namespaces.md index 869b8a37c..76ee3b8df 100644 --- a/website/docs/validation/host-namespaces.md +++ b/website/docs/validation/host-namespaces.md @@ -16,7 +16,7 @@ metadata: name: k8spsphostnamespace annotations: metadata.gatekeeper.sh/title: "Host Namespace" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. @@ -41,7 +41,12 @@ spec: rego: | package k8spsphostnamespace + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update_or_patch(input.review) + input_share_hostnamespace(input.review.object) msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) } @@ -52,6 +57,15 @@ spec: input_share_hostnamespace(o) { o.spec.hostIPC } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } ``` diff --git a/website/docs/validation/host-network-ports.md b/website/docs/validation/host-network-ports.md index 96827b4fa..bd676d6d3 100644 --- a/website/docs/validation/host-network-ports.md +++ b/website/docs/validation/host-network-ports.md @@ -16,7 +16,7 @@ metadata: name: k8spsphostnetworkingports annotations: metadata.gatekeeper.sh/title: "Host Networking Ports" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and @@ -61,9 +61,13 @@ spec: rego: | package k8spsphostnetworkingports + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.hostNetwork field is immutable. + not is_update_or_patch(input.review) + input_share_hostnetwork(input.review.object) msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) } @@ -98,6 +102,14 @@ spec: not is_exempt(c) } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/website/docs/validation/privileged-containers.md b/website/docs/validation/privileged-containers.md index b4c1f5532..d2f4c41fc 100644 --- a/website/docs/validation/privileged-containers.md +++ b/website/docs/validation/privileged-containers.md @@ -16,7 +16,7 @@ metadata: name: k8spspprivilegedcontainer annotations: metadata.gatekeeper.sh/title: "Privileged Container" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more @@ -51,9 +51,13 @@ spec: rego: | package k8spspprivileged + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.privileged field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) c.securityContext.privileged @@ -72,6 +76,14 @@ spec: c := input.review.object.spec.ephemeralContainers[_] } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/website/docs/validation/proc-mount.md b/website/docs/validation/proc-mount.md index ae322778e..aa46cd570 100644 --- a/website/docs/validation/proc-mount.md +++ b/website/docs/validation/proc-mount.md @@ -16,7 +16,7 @@ metadata: name: k8spspprocmount annotations: metadata.gatekeeper.sh/title: "Proc Mount" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.0.2 description: >- Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more @@ -62,9 +62,13 @@ spec: rego: | package k8spspprocmount + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.procMount field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) allowedProcMount := get_allowed_proc_mount(input) @@ -118,6 +122,14 @@ spec: lower(str) == "unmasked" } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/website/docs/validation/read-only-root-filesystem.md b/website/docs/validation/read-only-root-filesystem.md index d2f0a3e26..20ba2d9a7 100644 --- a/website/docs/validation/read-only-root-filesystem.md +++ b/website/docs/validation/read-only-root-filesystem.md @@ -16,7 +16,7 @@ metadata: name: k8spspreadonlyrootfilesystem annotations: metadata.gatekeeper.sh/title: "Read Only Root Filesystem" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a @@ -52,9 +52,13 @@ spec: rego: | package k8spspreadonlyrootfilesystem + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { + # spec.containers.readOnlyRootFilesystem field is immutable. + not is_update_or_patch(input.review) + c := input_containers[_] not is_exempt(c) input_read_only_root_fs(c) @@ -83,6 +87,14 @@ spec: object[field] } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/website/docs/validation/requiredprobes.md b/website/docs/validation/requiredprobes.md index fd0e743c5..2097275a0 100644 --- a/website/docs/validation/requiredprobes.md +++ b/website/docs/validation/requiredprobes.md @@ -16,7 +16,7 @@ metadata: name: k8srequiredprobes annotations: metadata.gatekeeper.sh/title: "Required Probes" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: Requires Pods to have readiness and/or liveness probes. spec: crd: @@ -42,11 +42,16 @@ spec: rego: | package k8srequiredprobes + import data.lib.exclude_update_patch.is_update_or_patch + probe_type_set = probe_types { probe_types := {type | type := input.parameters.probeTypes[_]} } violation[{"msg": msg}] { + # Probe fields are immutable. + not is_update_or_patch(input.review) + container := input.review.object.spec.containers[_] probe := input.parameters.probes[_] probe_is_missing(container, probe) @@ -70,6 +75,15 @@ spec: get_violation_message(container, review, probe) = msg { msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe]) } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } ``` diff --git a/website/docs/validation/selinux.md b/website/docs/validation/selinux.md index 3366abc23..d3e672a44 100644 --- a/website/docs/validation/selinux.md +++ b/website/docs/validation/selinux.md @@ -16,7 +16,7 @@ metadata: name: k8spspselinuxv2 annotations: metadata.gatekeeper.sh/title: "SELinux V2" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. @@ -71,16 +71,23 @@ spec: rego: | package k8spspselinux + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt # Disallow top level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.securityContext.seLinuxOptions field is immutable. + not is_update_or_patch(input.review) + has_field(input.review.object.spec.securityContext, "seLinuxOptions") not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions]) } # Disallow container level custom SELinux options violation[{"msg": msg, "details": {}}] { + # spec.containers.securityContext.seLinuxOptions field is immutable. + not is_update_or_patch(input.review) + c := input_security_context[_] not is_exempt(c) has_field(c.securityContext, "seLinuxOptions") @@ -121,6 +128,14 @@ spec: object[field] } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/website/docs/validation/users.md b/website/docs/validation/users.md index 9fe178fc3..adec28e88 100644 --- a/website/docs/validation/users.md +++ b/website/docs/validation/users.md @@ -16,7 +16,7 @@ metadata: name: k8spspallowedusers annotations: metadata.gatekeeper.sh/title: "Allowed Users" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and @@ -147,9 +147,13 @@ spec: rego: | package k8spspallowedusers + import data.lib.exclude_update_patch.is_update_or_patch import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { + # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. + not is_update_or_patch(input.review) + fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] field := fields[_] container := input_containers[_] @@ -272,6 +276,14 @@ spec: c := input.review.object.spec.ephemeralContainers[_] } libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } - | package lib.exempt_container diff --git a/website/docs/validation/volumes.md b/website/docs/validation/volumes.md index 11c6307d3..0ebc5cb07 100644 --- a/website/docs/validation/volumes.md +++ b/website/docs/validation/volumes.md @@ -16,7 +16,7 @@ metadata: name: k8spspvolumetypes annotations: metadata.gatekeeper.sh/title: "Volume Types" - metadata.gatekeeper.sh/version: 1.0.0 + metadata.gatekeeper.sh/version: 1.0.1 description: >- Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more @@ -47,7 +47,12 @@ spec: rego: | package k8spspvolumetypes + import data.lib.exclude_update_patch.is_update_or_patch + violation[{"msg": msg, "details": {}}] { + # spec.volumes field is immutable. + not is_update_or_patch(input.review) + volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} field := volume_fields[_] not input_volume_type_allowed(field) @@ -62,6 +67,15 @@ spec: input_volume_type_allowed(field) { field == input.parameters.volumes[_] } + libs: + - | + package lib.exclude_update_patch + + import future.keywords.in + + is_update_or_patch(review) { + review.operation in ["UPDATE", "PATCH"] + } ``` From 9ba85932ae86f4fdc945dc287d5b57e3a2c24e4a Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Tue, 1 Aug 2023 17:29:02 +0900 Subject: [PATCH 04/11] Exclude `UPDATE` operation only Signed-off-by: Hidehito Yabuuchi --- .../constraint.tmpl | 2 +- .../lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- .../automount-serviceaccount-token/src.rego | 4 ++-- .../ephemeralstoragelimit/constraint.tmpl | 2 +- .../lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- src/general/ephemeralstoragelimit/src.rego | 6 +++--- src/general/requiredprobes/constraint.tmpl | 2 +- .../requiredprobes/lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- src/general/requiredprobes/src.rego | 4 ++-- .../allow-privilege-escalation/constraint.tmpl | 2 +- .../lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- .../allow-privilege-escalation/src.rego | 4 ++-- .../capabilities/constraint.tmpl | 2 +- .../capabilities/lib_exclude_update.rego | 7 +++++++ .../capabilities/lib_exclude_update_patch.rego | 7 ------- src/pod-security-policy/capabilities/src.rego | 14 +++++++------- .../flexvolume-drivers/constraint.tmpl | 2 +- .../flexvolume-drivers/lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- .../flexvolume-drivers/src.rego | 4 ++-- .../forbidden-sysctls/constraint.tmpl | 2 +- .../forbidden-sysctls/lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- .../forbidden-sysctls/src.rego | 6 +++--- src/pod-security-policy/fsgroup/constraint.tmpl | 2 +- .../fsgroup/lib_exclude_update.rego | 7 +++++++ .../fsgroup/lib_exclude_update_patch.rego | 7 ------- src/pod-security-policy/fsgroup/src.rego | 4 ++-- .../host-filesystem/constraint.tmpl | 2 +- .../host-filesystem/lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- .../host-filesystem/src.rego | 4 ++-- .../host-namespaces/constraint.tmpl | 2 +- .../host-namespaces/lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- .../host-namespaces/src.rego | 4 ++-- .../host-network-ports/constraint.tmpl | 2 +- .../host-network-ports/lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- .../host-network-ports/src.rego | 4 ++-- .../privileged-containers/constraint.tmpl | 2 +- .../lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- .../privileged-containers/src.rego | 4 ++-- .../proc-mount/constraint.tmpl | 2 +- .../proc-mount/lib_exclude_update.rego | 7 +++++++ .../proc-mount/lib_exclude_update_patch.rego | 7 ------- src/pod-security-policy/proc-mount/src.rego | 4 ++-- .../read-only-root-filesystem/constraint.tmpl | 2 +- .../lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_patch.rego | 7 ------- .../read-only-root-filesystem/src.rego | 4 ++-- src/pod-security-policy/selinux/constraint.tmpl | 2 +- .../selinux/lib_exclude_update.rego | 7 +++++++ .../selinux/lib_exclude_update_patch.rego | 7 ------- src/pod-security-policy/selinux/src.rego | 6 +++--- src/pod-security-policy/users/constraint.tmpl | 2 +- .../users/lib_exclude_update.rego | 7 +++++++ .../users/lib_exclude_update_patch.rego | 7 ------- src/pod-security-policy/users/src.rego | 4 ++-- src/pod-security-policy/volumes/constraint.tmpl | 2 +- .../volumes/lib_exclude_update.rego | 7 +++++++ .../volumes/lib_exclude_update_patch.rego | 7 ------- src/pod-security-policy/volumes/src.rego | 4 ++-- .../lib_exclude_update/lib_exclude_update.rego | 7 +++++++ .../lib_exclude_update_test.rego | 13 +++++++++++++ .../lib_exclude_update_patch.rego | 7 ------- .../lib_exclude_update_patch_test.rego | 17 ----------------- 72 files changed, 198 insertions(+), 202 deletions(-) create mode 100644 src/general/automount-serviceaccount-token/lib_exclude_update.rego delete mode 100644 src/general/automount-serviceaccount-token/lib_exclude_update_patch.rego create mode 100644 src/general/ephemeralstoragelimit/lib_exclude_update.rego delete mode 100644 src/general/ephemeralstoragelimit/lib_exclude_update_patch.rego create mode 100644 src/general/requiredprobes/lib_exclude_update.rego delete mode 100644 src/general/requiredprobes/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/allow-privilege-escalation/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/capabilities/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/capabilities/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/flexvolume-drivers/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/forbidden-sysctls/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/fsgroup/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/fsgroup/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/host-filesystem/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/host-filesystem/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/host-namespaces/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/host-namespaces/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/host-network-ports/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/host-network-ports/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/privileged-containers/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/privileged-containers/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/proc-mount/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/proc-mount/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/read-only-root-filesystem/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/selinux/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/selinux/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/users/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/users/lib_exclude_update_patch.rego create mode 100644 src/pod-security-policy/volumes/lib_exclude_update.rego delete mode 100644 src/pod-security-policy/volumes/lib_exclude_update_patch.rego create mode 100644 src/rego/lib_exclude_update/lib_exclude_update.rego create mode 100644 src/rego/lib_exclude_update/lib_exclude_update_test.rego delete mode 100644 src/rego/lib_exclude_update_patch/lib_exclude_update_patch.rego delete mode 100644 src/rego/lib_exclude_update_patch/lib_exclude_update_patch_test.rego diff --git a/src/general/automount-serviceaccount-token/constraint.tmpl b/src/general/automount-serviceaccount-token/constraint.tmpl index 92f40feed..9b5a9531b 100644 --- a/src/general/automount-serviceaccount-token/constraint.tmpl +++ b/src/general/automount-serviceaccount-token/constraint.tmpl @@ -23,4 +23,4 @@ spec: {{ file.Read "src/general/automount-serviceaccount-token/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/general/automount-serviceaccount-token/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/general/automount-serviceaccount-token/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/general/automount-serviceaccount-token/lib_exclude_update.rego b/src/general/automount-serviceaccount-token/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/general/automount-serviceaccount-token/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/general/automount-serviceaccount-token/lib_exclude_update_patch.rego b/src/general/automount-serviceaccount-token/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/general/automount-serviceaccount-token/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/general/automount-serviceaccount-token/src.rego b/src/general/automount-serviceaccount-token/src.rego index d466dcf22..55f6f43a7 100644 --- a/src/general/automount-serviceaccount-token/src.rego +++ b/src/general/automount-serviceaccount-token/src.rego @@ -1,10 +1,10 @@ package k8sautomountserviceaccounttoken -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update violation[{"msg": msg}] { # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) obj := input.review.object mountServiceAccountToken(obj.spec) diff --git a/src/general/ephemeralstoragelimit/constraint.tmpl b/src/general/ephemeralstoragelimit/constraint.tmpl index 5c4f833e1..827b6bd52 100644 --- a/src/general/ephemeralstoragelimit/constraint.tmpl +++ b/src/general/ephemeralstoragelimit/constraint.tmpl @@ -39,6 +39,6 @@ spec: {{ file.Read "src/general/ephemeralstoragelimit/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/general/ephemeralstoragelimit/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/general/ephemeralstoragelimit/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} - | {{ file.Read "src/general/ephemeralstoragelimit/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/general/ephemeralstoragelimit/lib_exclude_update.rego b/src/general/ephemeralstoragelimit/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/general/ephemeralstoragelimit/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/general/ephemeralstoragelimit/lib_exclude_update_patch.rego b/src/general/ephemeralstoragelimit/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/general/ephemeralstoragelimit/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/general/ephemeralstoragelimit/src.rego b/src/general/ephemeralstoragelimit/src.rego index 80c17cc1e..88100fbf5 100644 --- a/src/general/ephemeralstoragelimit/src.rego +++ b/src/general/ephemeralstoragelimit/src.rego @@ -1,6 +1,6 @@ package k8scontainerephemeralstoragelimit -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt missing(obj, field) = true { @@ -114,13 +114,13 @@ canonify_storage(orig) = new { violation[{"msg": msg}] { # spec.containers.resources.limits["ephemeral-storage"] field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) general_violation[{"msg": msg, "field": "containers"}] } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) general_violation[{"msg": msg, "field": "initContainers"}] } diff --git a/src/general/requiredprobes/constraint.tmpl b/src/general/requiredprobes/constraint.tmpl index 34dc8389f..7ebfbb77a 100644 --- a/src/general/requiredprobes/constraint.tmpl +++ b/src/general/requiredprobes/constraint.tmpl @@ -31,4 +31,4 @@ spec: {{ file.Read "src/general/requiredprobes/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/general/requiredprobes/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/general/requiredprobes/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/general/requiredprobes/lib_exclude_update.rego b/src/general/requiredprobes/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/general/requiredprobes/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/general/requiredprobes/lib_exclude_update_patch.rego b/src/general/requiredprobes/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/general/requiredprobes/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/general/requiredprobes/src.rego b/src/general/requiredprobes/src.rego index 4158942c1..b94ca6f2c 100644 --- a/src/general/requiredprobes/src.rego +++ b/src/general/requiredprobes/src.rego @@ -1,6 +1,6 @@ package k8srequiredprobes -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update probe_type_set = probe_types { probe_types := {type | type := input.parameters.probeTypes[_]} @@ -8,7 +8,7 @@ probe_type_set = probe_types { violation[{"msg": msg}] { # Probe fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] probe := input.parameters.probes[_] diff --git a/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl b/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl index 7b9df6b2c..e5f6f323f 100644 --- a/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl +++ b/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl @@ -40,6 +40,6 @@ spec: {{ file.Read "src/pod-security-policy/allow-privilege-escalation/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/allow-privilege-escalation/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} - | {{ file.Read "src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update_patch.rego b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/allow-privilege-escalation/src.rego b/src/pod-security-policy/allow-privilege-escalation/src.rego index 386afc1bf..7c9d74bc1 100644 --- a/src/pod-security-policy/allow-privilege-escalation/src.rego +++ b/src/pod-security-policy/allow-privilege-escalation/src.rego @@ -1,11 +1,11 @@ package k8spspallowprivilegeescalationcontainer -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) diff --git a/src/pod-security-policy/capabilities/constraint.tmpl b/src/pod-security-policy/capabilities/constraint.tmpl index 0bfc234ac..88bd9e262 100644 --- a/src/pod-security-policy/capabilities/constraint.tmpl +++ b/src/pod-security-policy/capabilities/constraint.tmpl @@ -51,6 +51,6 @@ spec: {{ file.Read "src/pod-security-policy/capabilities/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/capabilities/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/capabilities/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} - | {{ file.Read "src/pod-security-policy/capabilities/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/capabilities/lib_exclude_update.rego b/src/pod-security-policy/capabilities/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/capabilities/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/capabilities/lib_exclude_update_patch.rego b/src/pod-security-policy/capabilities/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/capabilities/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/capabilities/src.rego b/src/pod-security-policy/capabilities/src.rego index 13e861009..b60b26a3f 100644 --- a/src/pod-security-policy/capabilities/src.rego +++ b/src/pod-security-policy/capabilities/src.rego @@ -1,11 +1,11 @@ package capabilities -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { # spec.containers.securityContext.capabilities field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) @@ -14,7 +14,7 @@ violation[{"msg": msg}] { } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -24,7 +24,7 @@ violation[{"msg": msg}] { violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -32,7 +32,7 @@ violation[{"msg": msg}] { } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -42,7 +42,7 @@ violation[{"msg": msg}] { violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -50,7 +50,7 @@ violation[{"msg": msg}] { } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) missing_drop_capabilities(container) diff --git a/src/pod-security-policy/flexvolume-drivers/constraint.tmpl b/src/pod-security-policy/flexvolume-drivers/constraint.tmpl index 19654546f..e0a7b51df 100644 --- a/src/pod-security-policy/flexvolume-drivers/constraint.tmpl +++ b/src/pod-security-policy/flexvolume-drivers/constraint.tmpl @@ -40,4 +40,4 @@ spec: {{ file.Read "src/pod-security-policy/flexvolume-drivers/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/flexvolume-drivers/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/flexvolume-drivers/lib_exclude_update_patch.rego b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/flexvolume-drivers/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/flexvolume-drivers/src.rego b/src/pod-security-policy/flexvolume-drivers/src.rego index dd5216777..1d42653c1 100644 --- a/src/pod-security-policy/flexvolume-drivers/src.rego +++ b/src/pod-security-policy/flexvolume-drivers/src.rego @@ -1,10 +1,10 @@ package k8spspflexvolumes -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume := input_flexvolumes[_] not input_flexvolumes_allowed(volume) diff --git a/src/pod-security-policy/forbidden-sysctls/constraint.tmpl b/src/pod-security-policy/forbidden-sysctls/constraint.tmpl index a021029be..91cecf030 100644 --- a/src/pod-security-policy/forbidden-sysctls/constraint.tmpl +++ b/src/pod-security-policy/forbidden-sysctls/constraint.tmpl @@ -43,4 +43,4 @@ spec: {{ file.Read "src/pod-security-policy/forbidden-sysctls/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/forbidden-sysctls/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/forbidden-sysctls/lib_exclude_update_patch.rego b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/forbidden-sysctls/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/forbidden-sysctls/src.rego b/src/pod-security-policy/forbidden-sysctls/src.rego index 6e703fdaf..359dd44c7 100644 --- a/src/pod-security-policy/forbidden-sysctls/src.rego +++ b/src/pod-security-policy/forbidden-sysctls/src.rego @@ -1,11 +1,11 @@ package k8spspforbiddensysctls -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update # Block if forbidden violation[{"msg": msg, "details": {}}] { # spec.securityContext.sysctls field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name forbidden_sysctl(sysctl) @@ -14,7 +14,7 @@ violation[{"msg": msg, "details": {}}] { # Block if not explicitly allowed violation[{"msg": msg, "details": {}}] { - not is_update_or_patch(input.review) + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) diff --git a/src/pod-security-policy/fsgroup/constraint.tmpl b/src/pod-security-policy/fsgroup/constraint.tmpl index 94752fd48..34a8b2a99 100644 --- a/src/pod-security-policy/fsgroup/constraint.tmpl +++ b/src/pod-security-policy/fsgroup/constraint.tmpl @@ -48,4 +48,4 @@ spec: {{ file.Read "src/pod-security-policy/fsgroup/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/fsgroup/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/fsgroup/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/fsgroup/lib_exclude_update.rego b/src/pod-security-policy/fsgroup/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/fsgroup/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/fsgroup/lib_exclude_update_patch.rego b/src/pod-security-policy/fsgroup/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/fsgroup/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/fsgroup/src.rego b/src/pod-security-policy/fsgroup/src.rego index c2dd330ee..23690a0de 100644 --- a/src/pod-security-policy/fsgroup/src.rego +++ b/src/pod-security-policy/fsgroup/src.rego @@ -1,10 +1,10 @@ package k8spspfsgroup -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.securityContext.fsGroup field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) spec := input.review.object.spec not input_fsGroup_allowed(spec) diff --git a/src/pod-security-policy/host-filesystem/constraint.tmpl b/src/pod-security-policy/host-filesystem/constraint.tmpl index dd844b7d7..39af451e1 100644 --- a/src/pod-security-policy/host-filesystem/constraint.tmpl +++ b/src/pod-security-policy/host-filesystem/constraint.tmpl @@ -43,4 +43,4 @@ spec: {{ file.Read "src/pod-security-policy/host-filesystem/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/host-filesystem/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/host-filesystem/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/host-filesystem/lib_exclude_update.rego b/src/pod-security-policy/host-filesystem/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/host-filesystem/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/host-filesystem/lib_exclude_update_patch.rego b/src/pod-security-policy/host-filesystem/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/host-filesystem/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/host-filesystem/src.rego b/src/pod-security-policy/host-filesystem/src.rego index bf58506f3..53b140816 100644 --- a/src/pod-security-policy/host-filesystem/src.rego +++ b/src/pod-security-policy/host-filesystem/src.rego @@ -1,10 +1,10 @@ package k8spsphostfilesystem -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume := input_hostpath_volumes[_] allowedPaths := get_allowed_paths(input) diff --git a/src/pod-security-policy/host-namespaces/constraint.tmpl b/src/pod-security-policy/host-namespaces/constraint.tmpl index de306e875..7ee044381 100644 --- a/src/pod-security-policy/host-namespaces/constraint.tmpl +++ b/src/pod-security-policy/host-namespaces/constraint.tmpl @@ -30,4 +30,4 @@ spec: {{ file.Read "src/pod-security-policy/host-namespaces/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/host-namespaces/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/host-namespaces/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/host-namespaces/lib_exclude_update.rego b/src/pod-security-policy/host-namespaces/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/host-namespaces/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/host-namespaces/lib_exclude_update_patch.rego b/src/pod-security-policy/host-namespaces/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/host-namespaces/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/host-namespaces/src.rego b/src/pod-security-policy/host-namespaces/src.rego index 431bbb2dc..af50c1cb8 100644 --- a/src/pod-security-policy/host-namespaces/src.rego +++ b/src/pod-security-policy/host-namespaces/src.rego @@ -1,10 +1,10 @@ package k8spsphostnamespace -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.hostPID and spec.hostIPC fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) input_share_hostnamespace(input.review.object) msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) diff --git a/src/pod-security-policy/host-network-ports/constraint.tmpl b/src/pod-security-policy/host-network-ports/constraint.tmpl index 9af5b1da3..abf6653c0 100644 --- a/src/pod-security-policy/host-network-ports/constraint.tmpl +++ b/src/pod-security-policy/host-network-ports/constraint.tmpl @@ -50,6 +50,6 @@ spec: {{ file.Read "src/pod-security-policy/host-network-ports/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/host-network-ports/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/host-network-ports/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} - | {{ file.Read "src/pod-security-policy/host-network-ports/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/host-network-ports/lib_exclude_update.rego b/src/pod-security-policy/host-network-ports/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/host-network-ports/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/host-network-ports/lib_exclude_update_patch.rego b/src/pod-security-policy/host-network-ports/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/host-network-ports/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/host-network-ports/src.rego b/src/pod-security-policy/host-network-ports/src.rego index 08c890da6..1038815c8 100644 --- a/src/pod-security-policy/host-network-ports/src.rego +++ b/src/pod-security-policy/host-network-ports/src.rego @@ -1,11 +1,11 @@ package k8spsphostnetworkingports -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.hostNetwork field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) input_share_hostnetwork(input.review.object) msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) diff --git a/src/pod-security-policy/privileged-containers/constraint.tmpl b/src/pod-security-policy/privileged-containers/constraint.tmpl index a1e7766ea..90a195925 100644 --- a/src/pod-security-policy/privileged-containers/constraint.tmpl +++ b/src/pod-security-policy/privileged-containers/constraint.tmpl @@ -40,6 +40,6 @@ spec: {{ file.Read "src/pod-security-policy/privileged-containers/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/privileged-containers/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/privileged-containers/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} - | {{ file.Read "src/pod-security-policy/privileged-containers/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/privileged-containers/lib_exclude_update.rego b/src/pod-security-policy/privileged-containers/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/privileged-containers/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/privileged-containers/lib_exclude_update_patch.rego b/src/pod-security-policy/privileged-containers/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/privileged-containers/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/privileged-containers/src.rego b/src/pod-security-policy/privileged-containers/src.rego index db984a2ce..a789e96da 100644 --- a/src/pod-security-policy/privileged-containers/src.rego +++ b/src/pod-security-policy/privileged-containers/src.rego @@ -1,11 +1,11 @@ package k8spspprivileged -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.privileged field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) diff --git a/src/pod-security-policy/proc-mount/constraint.tmpl b/src/pod-security-policy/proc-mount/constraint.tmpl index 18d658ab0..b06f815b6 100644 --- a/src/pod-security-policy/proc-mount/constraint.tmpl +++ b/src/pod-security-policy/proc-mount/constraint.tmpl @@ -51,6 +51,6 @@ spec: {{ file.Read "src/pod-security-policy/proc-mount/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/proc-mount/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/proc-mount/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} - | {{ file.Read "src/pod-security-policy/proc-mount/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/proc-mount/lib_exclude_update.rego b/src/pod-security-policy/proc-mount/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/proc-mount/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/proc-mount/lib_exclude_update_patch.rego b/src/pod-security-policy/proc-mount/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/proc-mount/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/proc-mount/src.rego b/src/pod-security-policy/proc-mount/src.rego index 8f1c02d28..cf501c8bd 100644 --- a/src/pod-security-policy/proc-mount/src.rego +++ b/src/pod-security-policy/proc-mount/src.rego @@ -1,11 +1,11 @@ package k8spspprocmount -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.procMount field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) diff --git a/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl b/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl index 8f2fc0c9e..3fa6e0607 100644 --- a/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl +++ b/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl @@ -41,6 +41,6 @@ spec: {{ file.Read "src/pod-security-policy/read-only-root-filesystem/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/read-only-root-filesystem/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} - | {{ file.Read "src/pod-security-policy/read-only-root-filesystem/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update_patch.rego b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/read-only-root-filesystem/src.rego b/src/pod-security-policy/read-only-root-filesystem/src.rego index c1c339fd9..3d15390f0 100644 --- a/src/pod-security-policy/read-only-root-filesystem/src.rego +++ b/src/pod-security-policy/read-only-root-filesystem/src.rego @@ -1,11 +1,11 @@ package k8spspreadonlyrootfilesystem -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.readOnlyRootFilesystem field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) diff --git a/src/pod-security-policy/selinux/constraint.tmpl b/src/pod-security-policy/selinux/constraint.tmpl index 5270ae608..051b9c694 100644 --- a/src/pod-security-policy/selinux/constraint.tmpl +++ b/src/pod-security-policy/selinux/constraint.tmpl @@ -60,6 +60,6 @@ spec: {{ file.Read "src/pod-security-policy/selinux/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/selinux/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/selinux/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} - | {{ file.Read "src/pod-security-policy/selinux/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/selinux/lib_exclude_update.rego b/src/pod-security-policy/selinux/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/selinux/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/selinux/lib_exclude_update_patch.rego b/src/pod-security-policy/selinux/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/selinux/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/selinux/src.rego b/src/pod-security-policy/selinux/src.rego index 9f7bb49f0..f11ededb9 100644 --- a/src/pod-security-policy/selinux/src.rego +++ b/src/pod-security-policy/selinux/src.rego @@ -1,12 +1,12 @@ package k8spspselinux -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt # Disallow top level custom SELinux options violation[{"msg": msg, "details": {}}] { # spec.securityContext.seLinuxOptions field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) has_field(input.review.object.spec.securityContext, "seLinuxOptions") not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) @@ -15,7 +15,7 @@ violation[{"msg": msg, "details": {}}] { # Disallow container level custom SELinux options violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.seLinuxOptions field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_security_context[_] not is_exempt(c) diff --git a/src/pod-security-policy/users/constraint.tmpl b/src/pod-security-policy/users/constraint.tmpl index 6b888ae5d..2c503e343 100644 --- a/src/pod-security-policy/users/constraint.tmpl +++ b/src/pod-security-policy/users/constraint.tmpl @@ -136,6 +136,6 @@ spec: {{ file.Read "src/pod-security-policy/users/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/users/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/users/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} - | {{ file.Read "src/pod-security-policy/users/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/users/lib_exclude_update.rego b/src/pod-security-policy/users/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/users/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/users/lib_exclude_update_patch.rego b/src/pod-security-policy/users/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/users/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/users/src.rego b/src/pod-security-policy/users/src.rego index 0c124aea6..4d28bafd2 100644 --- a/src/pod-security-policy/users/src.rego +++ b/src/pod-security-policy/users/src.rego @@ -1,11 +1,11 @@ package k8spspallowedusers -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] field := fields[_] diff --git a/src/pod-security-policy/volumes/constraint.tmpl b/src/pod-security-policy/volumes/constraint.tmpl index eabb2ccac..40f87e2c3 100644 --- a/src/pod-security-policy/volumes/constraint.tmpl +++ b/src/pod-security-policy/volumes/constraint.tmpl @@ -36,4 +36,4 @@ spec: {{ file.Read "src/pod-security-policy/volumes/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} libs: - | -{{ file.Read "src/pod-security-policy/volumes/lib_exclude_update_patch.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} +{{ file.Read "src/pod-security-policy/volumes/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/pod-security-policy/volumes/lib_exclude_update.rego b/src/pod-security-policy/volumes/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/pod-security-policy/volumes/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/pod-security-policy/volumes/lib_exclude_update_patch.rego b/src/pod-security-policy/volumes/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/pod-security-policy/volumes/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/pod-security-policy/volumes/src.rego b/src/pod-security-policy/volumes/src.rego index e3f5fb517..2d10ecf3e 100644 --- a/src/pod-security-policy/volumes/src.rego +++ b/src/pod-security-policy/volumes/src.rego @@ -1,10 +1,10 @@ package k8spspvolumetypes -import data.lib.exclude_update_patch.is_update_or_patch +import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} field := volume_fields[_] diff --git a/src/rego/lib_exclude_update/lib_exclude_update.rego b/src/rego/lib_exclude_update/lib_exclude_update.rego new file mode 100644 index 000000000..c176132fb --- /dev/null +++ b/src/rego/lib_exclude_update/lib_exclude_update.rego @@ -0,0 +1,7 @@ +package lib.exclude_update + +import future.keywords.in + +is_update(review) { + review.operation == "UPDATE" +} diff --git a/src/rego/lib_exclude_update/lib_exclude_update_test.rego b/src/rego/lib_exclude_update/lib_exclude_update_test.rego new file mode 100644 index 000000000..82d642756 --- /dev/null +++ b/src/rego/lib_exclude_update/lib_exclude_update_test.rego @@ -0,0 +1,13 @@ +package lib.exclude_update + +test_update { + is_update({"operation": "UPDATE"}) +} + +test_create { + not is_update({"operation": "CREATE"}) +} + +test_empty { + not is_update({"operation": ""}) +} diff --git a/src/rego/lib_exclude_update_patch/lib_exclude_update_patch.rego b/src/rego/lib_exclude_update_patch/lib_exclude_update_patch.rego deleted file mode 100644 index fb666035e..000000000 --- a/src/rego/lib_exclude_update_patch/lib_exclude_update_patch.rego +++ /dev/null @@ -1,7 +0,0 @@ -package lib.exclude_update_patch - -import future.keywords.in - -is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] -} diff --git a/src/rego/lib_exclude_update_patch/lib_exclude_update_patch_test.rego b/src/rego/lib_exclude_update_patch/lib_exclude_update_patch_test.rego deleted file mode 100644 index f442fb5e8..000000000 --- a/src/rego/lib_exclude_update_patch/lib_exclude_update_patch_test.rego +++ /dev/null @@ -1,17 +0,0 @@ -package lib.exclude_update_patch - -test_update { - is_update_or_patch({"operation": "UPDATE"}) -} - -test_patch { - is_update_or_patch({"operation": "PATCH"}) -} - -test_create { - not is_update_or_patch({"operation": "CREATE"}) -} - -test_empty { - not is_update_or_patch({"operation": ""}) -} From 6ebefc45813b0d1b755b914e6289140542fa459e Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Tue, 1 Aug 2023 17:30:32 +0900 Subject: [PATCH 05/11] make generate-all Signed-off-by: Hidehito Yabuuchi --- .../1.0.1/artifacthub-pkg.yml | 2 +- .../1.0.1/template.yaml | 10 +++++----- .../1.0.1/artifacthub-pkg.yml | 2 +- .../ephemeralstoragelimit/1.0.1/template.yaml | 12 +++++------ .../requiredprobes/1.0.1/artifacthub-pkg.yml | 2 +- .../requiredprobes/1.0.1/template.yaml | 10 +++++----- .../1.0.1/artifacthub-pkg.yml | 2 +- .../1.0.1/template.yaml | 10 +++++----- .../capabilities/1.0.1/artifacthub-pkg.yml | 2 +- .../capabilities/1.0.1/template.yaml | 20 +++++++++---------- .../1.0.1/artifacthub-pkg.yml | 2 +- .../flexvolume-drivers/1.0.1/template.yaml | 10 +++++----- .../1.1.2/artifacthub-pkg.yml | 2 +- .../forbidden-sysctls/1.1.2/template.yaml | 12 +++++------ .../fsgroup/1.0.1/artifacthub-pkg.yml | 2 +- .../fsgroup/1.0.1/template.yaml | 10 +++++----- .../host-filesystem/1.0.1/artifacthub-pkg.yml | 2 +- .../host-filesystem/1.0.1/template.yaml | 10 +++++----- .../host-namespaces/1.0.1/artifacthub-pkg.yml | 2 +- .../host-namespaces/1.0.1/template.yaml | 10 +++++----- .../1.0.1/artifacthub-pkg.yml | 2 +- .../host-network-ports/1.0.1/template.yaml | 10 +++++----- .../1.0.1/artifacthub-pkg.yml | 2 +- .../privileged-containers/1.0.1/template.yaml | 10 +++++----- .../proc-mount/1.0.2/artifacthub-pkg.yml | 2 +- .../proc-mount/1.0.2/template.yaml | 10 +++++----- .../1.0.1/artifacthub-pkg.yml | 2 +- .../1.0.1/template.yaml | 10 +++++----- .../selinux/1.0.1/artifacthub-pkg.yml | 2 +- .../selinux/1.0.1/template.yaml | 12 +++++------ .../users/1.0.1/artifacthub-pkg.yml | 2 +- .../users/1.0.1/template.yaml | 10 +++++----- .../volumes/1.0.1/artifacthub-pkg.yml | 2 +- .../volumes/1.0.1/template.yaml | 10 +++++----- .../template.yaml | 10 +++++----- .../ephemeralstoragelimit/template.yaml | 12 +++++------ library/general/requiredprobes/template.yaml | 10 +++++----- .../allow-privilege-escalation/template.yaml | 10 +++++----- .../capabilities/template.yaml | 20 +++++++++---------- .../flexvolume-drivers/template.yaml | 10 +++++----- .../forbidden-sysctls/template.yaml | 12 +++++------ .../pod-security-policy/fsgroup/template.yaml | 10 +++++----- .../host-filesystem/template.yaml | 10 +++++----- .../host-namespaces/template.yaml | 10 +++++----- .../host-network-ports/template.yaml | 10 +++++----- .../privileged-containers/template.yaml | 10 +++++----- .../proc-mount/template.yaml | 10 +++++----- .../read-only-root-filesystem/template.yaml | 10 +++++----- .../pod-security-policy/selinux/template.yaml | 12 +++++------ .../pod-security-policy/users/template.yaml | 10 +++++----- .../pod-security-policy/volumes/template.yaml | 10 +++++----- .../validation/allow-privilege-escalation.md | 10 +++++----- .../automount-serviceaccount-token.md | 10 +++++----- website/docs/validation/capabilities.md | 20 +++++++++---------- .../docs/validation/ephemeralstoragelimit.md | 12 +++++------ website/docs/validation/flexvolume-drivers.md | 10 +++++----- website/docs/validation/forbidden-sysctls.md | 12 +++++------ website/docs/validation/fsgroup.md | 10 +++++----- website/docs/validation/host-filesystem.md | 10 +++++----- website/docs/validation/host-namespaces.md | 10 +++++----- website/docs/validation/host-network-ports.md | 10 +++++----- .../docs/validation/privileged-containers.md | 10 +++++----- website/docs/validation/proc-mount.md | 10 +++++----- .../validation/read-only-root-filesystem.md | 10 +++++----- website/docs/validation/requiredprobes.md | 10 +++++----- website/docs/validation/selinux.md | 12 +++++------ website/docs/validation/users.md | 10 +++++----- website/docs/validation/volumes.md | 10 +++++----- 68 files changed, 296 insertions(+), 296 deletions(-) diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml index 78a5e84dd..7f513076f 100644 --- a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspautomountserviceaccounttokenpod displayName: Automount Service Account Token for Pod createdAt: "2023-05-23T09:47:24Z" description: Controls the ability of any Pod to enable automountServiceAccountToken. -digest: 703ebbf0f93e4ccc2dd0a5a28f8f944285fe3581848d34f40573e9129ade5f50 +digest: 1e55c4d9801d57049bfef336f7f76070c860e7e3fd5a824f971559e205cb7036 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/automount-serviceaccount-token keywords: diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml index ee1f2561d..1252c949e 100644 --- a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml @@ -22,11 +22,11 @@ spec: rego: | package k8sautomountserviceaccounttoken - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg}] { # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) obj := input.review.object mountServiceAccountToken(obj.spec) @@ -59,10 +59,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml index d9a0632f4..43425bd1c 100644 --- a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml @@ -5,7 +5,7 @@ createdAt: "2023-05-23T09:47:27Z" description: |- Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -digest: 3831d46393ad418fa151a3c5996c89145f65adf270f324da59c6fb8e72ab7724 +digest: bf3a7954950e519148677ae4505ba8997e8cf94214e3fb38878e6ef6324a3f9d license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/ephemeralstoragelimit keywords: diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml index be528d759..01e4b7a65 100644 --- a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml @@ -38,7 +38,7 @@ spec: rego: | package k8scontainerephemeralstoragelimit - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt missing(obj, field) = true { @@ -152,13 +152,13 @@ spec: violation[{"msg": msg}] { # spec.containers.resources.limits["ephemeral-storage"] field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) general_violation[{"msg": msg, "field": "containers"}] } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) general_violation[{"msg": msg, "field": "initContainers"}] } @@ -205,12 +205,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml index 8c60c2f9b..73baef9e9 100644 --- a/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8srequiredprobes displayName: Required Probes createdAt: "2023-05-23T09:47:30Z" description: Requires Pods to have readiness and/or liveness probes. -digest: 9c283ad1edd3a6145463578700d4f885160d616acea08880195fad2493b5566d +digest: 55e7fd2c471e761e3530d0e7d2a4a7c0cbe63b957aa219a538c3e05dda6ae377 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/requiredprobes keywords: diff --git a/artifacthub/library/general/requiredprobes/1.0.1/template.yaml b/artifacthub/library/general/requiredprobes/1.0.1/template.yaml index fc84f63dc..f276dc0d4 100644 --- a/artifacthub/library/general/requiredprobes/1.0.1/template.yaml +++ b/artifacthub/library/general/requiredprobes/1.0.1/template.yaml @@ -30,7 +30,7 @@ spec: rego: | package k8srequiredprobes - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update probe_type_set = probe_types { probe_types := {type | type := input.parameters.probeTypes[_]} @@ -38,7 +38,7 @@ spec: violation[{"msg": msg}] { # Probe fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] probe := input.parameters.probes[_] @@ -65,10 +65,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml index aef049ed3..7e3bc5480 100644 --- a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspallowprivilegeescalationcontainer displayName: Allow Privilege Escalation in Container createdAt: "2023-05-23T09:47:31Z" description: Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation -digest: bd6fd60b9b4fd64a803cc3e8463bf1c86695c1d96a467f21c219c10159625023 +digest: 975b84d1cde80ad5b55bdfdef77116d8d0d07553d6b9011bb27481bc5fd9c467 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allow-privilege-escalation keywords: diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml index 5fb7c57d5..2c4071bd5 100644 --- a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml @@ -39,12 +39,12 @@ spec: rego: | package k8spspallowprivilegeescalationcontainer - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -73,12 +73,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml index aaa8938f9..83d21d195 100644 --- a/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspcapabilities displayName: Capabilities createdAt: "2023-05-23T09:47:31Z" description: Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities -digest: adb9d8a97dcc2df2f780f35fc01728b845d856f3a4cdf51e682acd966bb70338 +digest: bf2cc3c37313d3ecd5b7f422475911b4f40fb3235f1812640ea44c99b00b0b43 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/capabilities keywords: diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml index 55b2f8491..e23211270 100644 --- a/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml @@ -50,12 +50,12 @@ spec: rego: | package capabilities - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { # spec.containers.securityContext.capabilities field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) @@ -64,7 +64,7 @@ spec: } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -74,7 +74,7 @@ spec: violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -82,7 +82,7 @@ spec: } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -92,7 +92,7 @@ spec: violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -100,7 +100,7 @@ spec: } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -136,12 +136,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml index 5b1190f83..537fa4391 100644 --- a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspflexvolumes displayName: FlexVolumes createdAt: "2023-05-23T09:47:31Z" description: Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers -digest: 18da92d57e3d86c0460dfd57b276cdb3166620f7d603c4dcad44d46e3f5d7f87 +digest: a680d7804d62ddf9e4c5fa7d2f657d6e4e98ba5a375cc8cecba6ab851963b649 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/flexvolume-drivers keywords: diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml index cdf77aad0..88e99f319 100644 --- a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml @@ -39,11 +39,11 @@ spec: rego: | package k8spspflexvolumes - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume := input_flexvolumes[_] not input_flexvolumes_allowed(volume) @@ -65,10 +65,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml index 7b2de2fcd..f8ba3e571 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspforbiddensysctls displayName: Forbidden Sysctls createdAt: "2023-05-23T09:47:31Z" description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ -digest: 436c6ee0f5228a9a316606a0ed95364b3753a376a68b1321da392477595d9a3a +digest: 6e4e3edc144174b6363e0c3de04d4b9be67306a771c8a4fd7a46229123480b61 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls keywords: diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml index 8f6dd1e07..97257f3ad 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml @@ -42,12 +42,12 @@ spec: rego: | package k8spspforbiddensysctls - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update # Block if forbidden violation[{"msg": msg, "details": {}}] { # spec.securityContext.sysctls field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name forbidden_sysctl(sysctl) @@ -56,7 +56,7 @@ spec: # Block if not explicitly allowed violation[{"msg": msg, "details": {}}] { - not is_update_or_patch(input.review) + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) @@ -93,10 +93,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml index 1c7437205..33978b4c7 100644 --- a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspfsgroup displayName: FS Group createdAt: "2023-05-23T09:47:31Z" description: Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems -digest: a7132351db53b2094501f949746fc677a2b37d47ae744930af5eaf2d44443512 +digest: 09290360fc2e0c03c012d8d3be2b9d18dc4b7017c108e28bf60592c05db204ce license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/fsgroup keywords: diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml index 006d8eb6e..189a478d1 100644 --- a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml @@ -47,11 +47,11 @@ spec: rego: | package k8spspfsgroup - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.securityContext.fsGroup field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) spec := input.review.object.spec not input_fsGroup_allowed(spec) @@ -98,10 +98,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml index 38caa319c..26847063e 100644 --- a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spsphostfilesystem displayName: Host Filesystem createdAt: "2023-05-23T09:47:31Z" description: Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems -digest: 4be50b48cb82f049e9045c4c847baf8764c64f8b9d121e2b4d9036e7cab1fcfb +digest: de1a34191f8482e7326878d0c8f7b653f1d5a2805674cdd4393ee917349ac0a9 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-filesystem keywords: diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml index b8d935369..e9bb32441 100644 --- a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml @@ -42,11 +42,11 @@ spec: rego: | package k8spsphostfilesystem - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume := input_hostpath_volumes[_] allowedPaths := get_allowed_paths(input) @@ -141,10 +141,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml index 7d20c6644..bf51e675c 100644 --- a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spsphostnamespace displayName: Host Namespace createdAt: "2023-05-23T09:47:31Z" description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces -digest: 86a2dc453529427865f928c1ef99c2faa8685799e3a34c166451cb5b60885013 +digest: af63ee9b0b61519aa6e3a63f36e41ee56706805e0f04c92e6b21dc98fb08cfc8 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-namespaces keywords: diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml index 784112b39..78fd6596f 100644 --- a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml @@ -29,11 +29,11 @@ spec: rego: | package k8spsphostnamespace - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.hostPID and spec.hostIPC fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) input_share_hostnamespace(input.review.object) msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) @@ -47,10 +47,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml index 8a6adc71f..13eb6c46a 100644 --- a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spsphostnetworkingports displayName: Host Networking Ports createdAt: "2023-05-23T09:47:31Z" description: Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces -digest: 8f4e9f3b512b03b5ec14eb0ad30182163fb96f862669663531ebf0264eeb1e61 +digest: 0032aa648e76385fb05fbd44d525ea97e78ceae87b5b615ec527ba3e9af0c5a2 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-network-ports keywords: diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml index e5d830061..8db1c2cd3 100644 --- a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml @@ -49,12 +49,12 @@ spec: rego: | package k8spsphostnetworkingports - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.hostNetwork field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) input_share_hostnetwork(input.review.object) msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) @@ -91,12 +91,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml index 4eccc50ad..4dacb77a0 100644 --- a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspprivilegedcontainer displayName: Privileged Container createdAt: "2023-05-23T09:47:31Z" description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged -digest: f3b2afe9b0f7bccd82c29291a9e075ecd1019ca5857fb5e850d7176ac8aa4a36 +digest: b05a7070b02fa9c2a2eb3a944badd5f42a471382919f8a6a02717faffd212d44 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/privileged-containers keywords: diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml index f143a492b..6ec756011 100644 --- a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml @@ -39,12 +39,12 @@ spec: rego: | package k8spspprivileged - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.privileged field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -65,12 +65,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml index 573187ce2..d730f0e03 100644 --- a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspprocmount displayName: Proc Mount createdAt: "2023-05-23T09:47:31Z" description: Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes -digest: 4b54aedfc0a708de76efdd810bd7d63e92625fd79358d196977b7ea51359e46c +digest: 381e044afad0fa50bce39483149badf7bb50650d6df6856c02c2f38dac74dd14 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/proc-mount keywords: diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml index 93423ed2d..817a1a0bf 100644 --- a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml @@ -50,12 +50,12 @@ spec: rego: | package k8spspprocmount - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.procMount field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -111,12 +111,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml index ddd7ab308..b6cb2d465 100644 --- a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspreadonlyrootfilesystem displayName: Read Only Root Filesystem createdAt: "2023-05-23T09:47:31Z" description: Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems -digest: c5191ecc692cff6ebe63895c42278e84be63e6f2e247d1ef68351ff54ec4383b +digest: d0639793ce5c44a84c39b94e61196a2c0436f4360b965f502d11287167e56bb6 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/read-only-root-filesystem keywords: diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml index eb4d2af5b..1c449e7c8 100644 --- a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml @@ -40,12 +40,12 @@ spec: rego: | package k8spspreadonlyrootfilesystem - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.readOnlyRootFilesystem field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -76,12 +76,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml index 478308853..0fbe34324 100644 --- a/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspselinuxv2 displayName: SELinux V2 createdAt: "2023-05-23T09:47:32Z" description: Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux -digest: c1fbd389373b80528df8f78ea09ab73639eca30fc9bcfdd2ac744e00e83f580f +digest: 232d1380a2a1ee76766387216e260fadc8470e8c4c54af9c901a7ff084adf0e8 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/selinux keywords: diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml index eb88ff6e1..e852d08c8 100644 --- a/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml @@ -59,13 +59,13 @@ spec: rego: | package k8spspselinux - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt # Disallow top level custom SELinux options violation[{"msg": msg, "details": {}}] { # spec.securityContext.seLinuxOptions field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) has_field(input.review.object.spec.securityContext, "seLinuxOptions") not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) @@ -74,7 +74,7 @@ spec: # Disallow container level custom SELinux options violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.seLinuxOptions field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_security_context[_] not is_exempt(c) @@ -117,12 +117,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml index ab9c90eb0..216e467c0 100644 --- a/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspallowedusers displayName: Allowed Users createdAt: "2023-05-23T09:47:32Z" description: Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups -digest: b71aa38e9296583dd38400b79677e0436e689331ea807325f69b0693acb81d67 +digest: 4761591b28456c3e59fe2cc21dc5b81a850940f675e8d34bb92f3e07aee9119e license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/users keywords: diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml index 31bfdb163..e94d1ab95 100644 --- a/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml @@ -135,12 +135,12 @@ spec: rego: | package k8spspallowedusers - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] field := fields[_] @@ -265,12 +265,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml index cdb3626d1..d2c67c9c8 100644 --- a/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspvolumetypes displayName: Volume Types createdAt: "2023-05-23T09:47:32Z" description: Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems -digest: 9e0fbef9b1bca39d7407759e39b4595a39fdf24dbd41b1a1eb5d5a93edc5c05a +digest: a8abd75e02bdecbfc426916b2bd72ce126a865af31f8f9fd8e85b2ef7fecbc16 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/volumes keywords: diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml index 7b4c231a0..7ecd33144 100644 --- a/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml @@ -35,11 +35,11 @@ spec: rego: | package k8spspvolumetypes - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} field := volume_fields[_] @@ -57,10 +57,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/library/general/automount-serviceaccount-token/template.yaml b/library/general/automount-serviceaccount-token/template.yaml index ee1f2561d..1252c949e 100644 --- a/library/general/automount-serviceaccount-token/template.yaml +++ b/library/general/automount-serviceaccount-token/template.yaml @@ -22,11 +22,11 @@ spec: rego: | package k8sautomountserviceaccounttoken - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg}] { # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) obj := input.review.object mountServiceAccountToken(obj.spec) @@ -59,10 +59,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/library/general/ephemeralstoragelimit/template.yaml b/library/general/ephemeralstoragelimit/template.yaml index be528d759..01e4b7a65 100644 --- a/library/general/ephemeralstoragelimit/template.yaml +++ b/library/general/ephemeralstoragelimit/template.yaml @@ -38,7 +38,7 @@ spec: rego: | package k8scontainerephemeralstoragelimit - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt missing(obj, field) = true { @@ -152,13 +152,13 @@ spec: violation[{"msg": msg}] { # spec.containers.resources.limits["ephemeral-storage"] field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) general_violation[{"msg": msg, "field": "containers"}] } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) general_violation[{"msg": msg, "field": "initContainers"}] } @@ -205,12 +205,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/library/general/requiredprobes/template.yaml b/library/general/requiredprobes/template.yaml index fc84f63dc..f276dc0d4 100644 --- a/library/general/requiredprobes/template.yaml +++ b/library/general/requiredprobes/template.yaml @@ -30,7 +30,7 @@ spec: rego: | package k8srequiredprobes - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update probe_type_set = probe_types { probe_types := {type | type := input.parameters.probeTypes[_]} @@ -38,7 +38,7 @@ spec: violation[{"msg": msg}] { # Probe fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] probe := input.parameters.probes[_] @@ -65,10 +65,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/library/pod-security-policy/allow-privilege-escalation/template.yaml b/library/pod-security-policy/allow-privilege-escalation/template.yaml index 5fb7c57d5..2c4071bd5 100644 --- a/library/pod-security-policy/allow-privilege-escalation/template.yaml +++ b/library/pod-security-policy/allow-privilege-escalation/template.yaml @@ -39,12 +39,12 @@ spec: rego: | package k8spspallowprivilegeescalationcontainer - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -73,12 +73,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/library/pod-security-policy/capabilities/template.yaml b/library/pod-security-policy/capabilities/template.yaml index 55b2f8491..e23211270 100644 --- a/library/pod-security-policy/capabilities/template.yaml +++ b/library/pod-security-policy/capabilities/template.yaml @@ -50,12 +50,12 @@ spec: rego: | package capabilities - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { # spec.containers.securityContext.capabilities field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) @@ -64,7 +64,7 @@ spec: } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -74,7 +74,7 @@ spec: violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -82,7 +82,7 @@ spec: } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -92,7 +92,7 @@ spec: violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -100,7 +100,7 @@ spec: } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -136,12 +136,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/library/pod-security-policy/flexvolume-drivers/template.yaml b/library/pod-security-policy/flexvolume-drivers/template.yaml index cdf77aad0..88e99f319 100644 --- a/library/pod-security-policy/flexvolume-drivers/template.yaml +++ b/library/pod-security-policy/flexvolume-drivers/template.yaml @@ -39,11 +39,11 @@ spec: rego: | package k8spspflexvolumes - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume := input_flexvolumes[_] not input_flexvolumes_allowed(volume) @@ -65,10 +65,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/library/pod-security-policy/forbidden-sysctls/template.yaml b/library/pod-security-policy/forbidden-sysctls/template.yaml index 8f6dd1e07..97257f3ad 100644 --- a/library/pod-security-policy/forbidden-sysctls/template.yaml +++ b/library/pod-security-policy/forbidden-sysctls/template.yaml @@ -42,12 +42,12 @@ spec: rego: | package k8spspforbiddensysctls - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update # Block if forbidden violation[{"msg": msg, "details": {}}] { # spec.securityContext.sysctls field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name forbidden_sysctl(sysctl) @@ -56,7 +56,7 @@ spec: # Block if not explicitly allowed violation[{"msg": msg, "details": {}}] { - not is_update_or_patch(input.review) + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) @@ -93,10 +93,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/library/pod-security-policy/fsgroup/template.yaml b/library/pod-security-policy/fsgroup/template.yaml index 006d8eb6e..189a478d1 100644 --- a/library/pod-security-policy/fsgroup/template.yaml +++ b/library/pod-security-policy/fsgroup/template.yaml @@ -47,11 +47,11 @@ spec: rego: | package k8spspfsgroup - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.securityContext.fsGroup field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) spec := input.review.object.spec not input_fsGroup_allowed(spec) @@ -98,10 +98,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/library/pod-security-policy/host-filesystem/template.yaml b/library/pod-security-policy/host-filesystem/template.yaml index b8d935369..e9bb32441 100644 --- a/library/pod-security-policy/host-filesystem/template.yaml +++ b/library/pod-security-policy/host-filesystem/template.yaml @@ -42,11 +42,11 @@ spec: rego: | package k8spsphostfilesystem - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume := input_hostpath_volumes[_] allowedPaths := get_allowed_paths(input) @@ -141,10 +141,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/library/pod-security-policy/host-namespaces/template.yaml b/library/pod-security-policy/host-namespaces/template.yaml index 784112b39..78fd6596f 100644 --- a/library/pod-security-policy/host-namespaces/template.yaml +++ b/library/pod-security-policy/host-namespaces/template.yaml @@ -29,11 +29,11 @@ spec: rego: | package k8spsphostnamespace - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.hostPID and spec.hostIPC fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) input_share_hostnamespace(input.review.object) msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) @@ -47,10 +47,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/library/pod-security-policy/host-network-ports/template.yaml b/library/pod-security-policy/host-network-ports/template.yaml index e5d830061..8db1c2cd3 100644 --- a/library/pod-security-policy/host-network-ports/template.yaml +++ b/library/pod-security-policy/host-network-ports/template.yaml @@ -49,12 +49,12 @@ spec: rego: | package k8spsphostnetworkingports - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.hostNetwork field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) input_share_hostnetwork(input.review.object) msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) @@ -91,12 +91,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/library/pod-security-policy/privileged-containers/template.yaml b/library/pod-security-policy/privileged-containers/template.yaml index f143a492b..6ec756011 100644 --- a/library/pod-security-policy/privileged-containers/template.yaml +++ b/library/pod-security-policy/privileged-containers/template.yaml @@ -39,12 +39,12 @@ spec: rego: | package k8spspprivileged - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.privileged field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -65,12 +65,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/library/pod-security-policy/proc-mount/template.yaml b/library/pod-security-policy/proc-mount/template.yaml index 93423ed2d..817a1a0bf 100644 --- a/library/pod-security-policy/proc-mount/template.yaml +++ b/library/pod-security-policy/proc-mount/template.yaml @@ -50,12 +50,12 @@ spec: rego: | package k8spspprocmount - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.procMount field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -111,12 +111,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/library/pod-security-policy/read-only-root-filesystem/template.yaml b/library/pod-security-policy/read-only-root-filesystem/template.yaml index eb4d2af5b..1c449e7c8 100644 --- a/library/pod-security-policy/read-only-root-filesystem/template.yaml +++ b/library/pod-security-policy/read-only-root-filesystem/template.yaml @@ -40,12 +40,12 @@ spec: rego: | package k8spspreadonlyrootfilesystem - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.readOnlyRootFilesystem field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -76,12 +76,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/library/pod-security-policy/selinux/template.yaml b/library/pod-security-policy/selinux/template.yaml index eb88ff6e1..e852d08c8 100644 --- a/library/pod-security-policy/selinux/template.yaml +++ b/library/pod-security-policy/selinux/template.yaml @@ -59,13 +59,13 @@ spec: rego: | package k8spspselinux - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt # Disallow top level custom SELinux options violation[{"msg": msg, "details": {}}] { # spec.securityContext.seLinuxOptions field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) has_field(input.review.object.spec.securityContext, "seLinuxOptions") not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) @@ -74,7 +74,7 @@ spec: # Disallow container level custom SELinux options violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.seLinuxOptions field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_security_context[_] not is_exempt(c) @@ -117,12 +117,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/library/pod-security-policy/users/template.yaml b/library/pod-security-policy/users/template.yaml index 31bfdb163..e94d1ab95 100644 --- a/library/pod-security-policy/users/template.yaml +++ b/library/pod-security-policy/users/template.yaml @@ -135,12 +135,12 @@ spec: rego: | package k8spspallowedusers - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] field := fields[_] @@ -265,12 +265,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/library/pod-security-policy/volumes/template.yaml b/library/pod-security-policy/volumes/template.yaml index 7b4c231a0..7ecd33144 100644 --- a/library/pod-security-policy/volumes/template.yaml +++ b/library/pod-security-policy/volumes/template.yaml @@ -35,11 +35,11 @@ spec: rego: | package k8spspvolumetypes - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} field := volume_fields[_] @@ -57,10 +57,10 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } diff --git a/website/docs/validation/allow-privilege-escalation.md b/website/docs/validation/allow-privilege-escalation.md index 895776177..af8af6ec1 100644 --- a/website/docs/validation/allow-privilege-escalation.md +++ b/website/docs/validation/allow-privilege-escalation.md @@ -51,12 +51,12 @@ spec: rego: | package k8spspallowprivilegeescalationcontainer - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.allowPrivilegeEscalation field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -85,12 +85,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/website/docs/validation/automount-serviceaccount-token.md b/website/docs/validation/automount-serviceaccount-token.md index 0d213ff55..a6f4ee7a0 100644 --- a/website/docs/validation/automount-serviceaccount-token.md +++ b/website/docs/validation/automount-serviceaccount-token.md @@ -34,11 +34,11 @@ spec: rego: | package k8sautomountserviceaccounttoken - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg}] { # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) obj := input.review.object mountServiceAccountToken(obj.spec) @@ -71,12 +71,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } ``` diff --git a/website/docs/validation/capabilities.md b/website/docs/validation/capabilities.md index 648098623..01801b3ab 100644 --- a/website/docs/validation/capabilities.md +++ b/website/docs/validation/capabilities.md @@ -62,12 +62,12 @@ spec: rego: | package capabilities - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { # spec.containers.securityContext.capabilities field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) @@ -76,7 +76,7 @@ spec: } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -86,7 +86,7 @@ spec: violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -94,7 +94,7 @@ spec: } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.initContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -104,7 +104,7 @@ spec: violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) has_disallowed_capabilities(container) @@ -112,7 +112,7 @@ spec: } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.ephemeralContainers[_] not is_exempt(container) missing_drop_capabilities(container) @@ -148,12 +148,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/website/docs/validation/ephemeralstoragelimit.md b/website/docs/validation/ephemeralstoragelimit.md index e757231fb..45df756d2 100644 --- a/website/docs/validation/ephemeralstoragelimit.md +++ b/website/docs/validation/ephemeralstoragelimit.md @@ -51,7 +51,7 @@ spec: rego: | package k8scontainerephemeralstoragelimit - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt missing(obj, field) = true { @@ -165,13 +165,13 @@ spec: violation[{"msg": msg}] { # spec.containers.resources.limits["ephemeral-storage"] field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) general_violation[{"msg": msg, "field": "containers"}] } violation[{"msg": msg}] { - not is_update_or_patch(input.review) + not is_update(input.review) general_violation[{"msg": msg, "field": "initContainers"}] } @@ -218,12 +218,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/website/docs/validation/flexvolume-drivers.md b/website/docs/validation/flexvolume-drivers.md index f279a60e9..bb76d7804 100644 --- a/website/docs/validation/flexvolume-drivers.md +++ b/website/docs/validation/flexvolume-drivers.md @@ -51,11 +51,11 @@ spec: rego: | package k8spspflexvolumes - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume := input_flexvolumes[_] not input_flexvolumes_allowed(volume) @@ -77,12 +77,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } ``` diff --git a/website/docs/validation/forbidden-sysctls.md b/website/docs/validation/forbidden-sysctls.md index 8db297830..9dadbd2f7 100644 --- a/website/docs/validation/forbidden-sysctls.md +++ b/website/docs/validation/forbidden-sysctls.md @@ -54,12 +54,12 @@ spec: rego: | package k8spspforbiddensysctls - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update # Block if forbidden violation[{"msg": msg, "details": {}}] { # spec.securityContext.sysctls field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name forbidden_sysctl(sysctl) @@ -68,7 +68,7 @@ spec: # Block if not explicitly allowed violation[{"msg": msg, "details": {}}] { - not is_update_or_patch(input.review) + not is_update(input.review) sysctl := input.review.object.spec.securityContext.sysctls[_].name not allowed_sysctl(sysctl) msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) @@ -105,12 +105,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } ``` diff --git a/website/docs/validation/fsgroup.md b/website/docs/validation/fsgroup.md index 08eca2db4..ade0a222e 100644 --- a/website/docs/validation/fsgroup.md +++ b/website/docs/validation/fsgroup.md @@ -59,11 +59,11 @@ spec: rego: | package k8spspfsgroup - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.securityContext.fsGroup field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) spec := input.review.object.spec not input_fsGroup_allowed(spec) @@ -110,12 +110,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } ``` diff --git a/website/docs/validation/host-filesystem.md b/website/docs/validation/host-filesystem.md index 0a8a104f4..302348b3c 100644 --- a/website/docs/validation/host-filesystem.md +++ b/website/docs/validation/host-filesystem.md @@ -54,11 +54,11 @@ spec: rego: | package k8spsphostfilesystem - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume := input_hostpath_volumes[_] allowedPaths := get_allowed_paths(input) @@ -153,12 +153,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } ``` diff --git a/website/docs/validation/host-namespaces.md b/website/docs/validation/host-namespaces.md index 76ee3b8df..f371b5c7d 100644 --- a/website/docs/validation/host-namespaces.md +++ b/website/docs/validation/host-namespaces.md @@ -41,11 +41,11 @@ spec: rego: | package k8spsphostnamespace - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.hostPID and spec.hostIPC fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) input_share_hostnamespace(input.review.object) msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) @@ -59,12 +59,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } ``` diff --git a/website/docs/validation/host-network-ports.md b/website/docs/validation/host-network-ports.md index bd676d6d3..57fe4cff6 100644 --- a/website/docs/validation/host-network-ports.md +++ b/website/docs/validation/host-network-ports.md @@ -61,12 +61,12 @@ spec: rego: | package k8spsphostnetworkingports - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.hostNetwork field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) input_share_hostnetwork(input.review.object) msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters]) @@ -103,12 +103,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/website/docs/validation/privileged-containers.md b/website/docs/validation/privileged-containers.md index d2f4c41fc..d5cb794e2 100644 --- a/website/docs/validation/privileged-containers.md +++ b/website/docs/validation/privileged-containers.md @@ -51,12 +51,12 @@ spec: rego: | package k8spspprivileged - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.privileged field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -77,12 +77,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/website/docs/validation/proc-mount.md b/website/docs/validation/proc-mount.md index aa46cd570..ca171545a 100644 --- a/website/docs/validation/proc-mount.md +++ b/website/docs/validation/proc-mount.md @@ -62,12 +62,12 @@ spec: rego: | package k8spspprocmount - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.procMount field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -123,12 +123,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/website/docs/validation/read-only-root-filesystem.md b/website/docs/validation/read-only-root-filesystem.md index 20ba2d9a7..cab4d1937 100644 --- a/website/docs/validation/read-only-root-filesystem.md +++ b/website/docs/validation/read-only-root-filesystem.md @@ -52,12 +52,12 @@ spec: rego: | package k8spspreadonlyrootfilesystem - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg, "details": {}}] { # spec.containers.readOnlyRootFilesystem field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_containers[_] not is_exempt(c) @@ -88,12 +88,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/website/docs/validation/requiredprobes.md b/website/docs/validation/requiredprobes.md index 2097275a0..1bfa61b28 100644 --- a/website/docs/validation/requiredprobes.md +++ b/website/docs/validation/requiredprobes.md @@ -42,7 +42,7 @@ spec: rego: | package k8srequiredprobes - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update probe_type_set = probe_types { probe_types := {type | type := input.parameters.probeTypes[_]} @@ -50,7 +50,7 @@ spec: violation[{"msg": msg}] { # Probe fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) container := input.review.object.spec.containers[_] probe := input.parameters.probes[_] @@ -77,12 +77,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } ``` diff --git a/website/docs/validation/selinux.md b/website/docs/validation/selinux.md index d3e672a44..080e4a7d5 100644 --- a/website/docs/validation/selinux.md +++ b/website/docs/validation/selinux.md @@ -71,13 +71,13 @@ spec: rego: | package k8spspselinux - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt # Disallow top level custom SELinux options violation[{"msg": msg, "details": {}}] { # spec.securityContext.seLinuxOptions field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) has_field(input.review.object.spec.securityContext, "seLinuxOptions") not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions) @@ -86,7 +86,7 @@ spec: # Disallow container level custom SELinux options violation[{"msg": msg, "details": {}}] { # spec.containers.securityContext.seLinuxOptions field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) c := input_security_context[_] not is_exempt(c) @@ -129,12 +129,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/website/docs/validation/users.md b/website/docs/validation/users.md index adec28e88..49449e200 100644 --- a/website/docs/validation/users.md +++ b/website/docs/validation/users.md @@ -147,12 +147,12 @@ spec: rego: | package k8spspallowedusers - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update import data.lib.exempt_container.is_exempt violation[{"msg": msg}] { # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable. - not is_update_or_patch(input.review) + not is_update(input.review) fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"] field := fields[_] @@ -277,12 +277,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } - | package lib.exempt_container diff --git a/website/docs/validation/volumes.md b/website/docs/validation/volumes.md index 0ebc5cb07..62de98cb8 100644 --- a/website/docs/validation/volumes.md +++ b/website/docs/validation/volumes.md @@ -47,11 +47,11 @@ spec: rego: | package k8spspvolumetypes - import data.lib.exclude_update_patch.is_update_or_patch + import data.lib.exclude_update.is_update violation[{"msg": msg, "details": {}}] { # spec.volumes field is immutable. - not is_update_or_patch(input.review) + not is_update(input.review) volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"} field := volume_fields[_] @@ -69,12 +69,12 @@ spec: } libs: - | - package lib.exclude_update_patch + package lib.exclude_update import future.keywords.in - is_update_or_patch(review) { - review.operation in ["UPDATE", "PATCH"] + is_update(review) { + review.operation == "UPDATE" } ``` From 44bb17167c40ef2cc4e783175a7d4dc30caaaf4a Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Tue, 1 Aug 2023 18:25:12 +0900 Subject: [PATCH 06/11] Add tests for constraint templates Signed-off-by: Hidehito Yabuuchi --- src/general/automount-serviceaccount-token/src_test.rego | 6 ++++++ src/general/ephemeralstoragelimit/src_test.rego | 5 +++++ src/general/requiredprobes/src_test.rego | 8 ++++++++ .../allow-privilege-escalation/src_test.rego | 5 +++++ src/pod-security-policy/capabilities/src_test.rego | 6 ++++++ src/pod-security-policy/flexvolume-drivers/src_test.rego | 6 ++++++ src/pod-security-policy/forbidden-sysctls/src_test.rego | 6 ++++++ src/pod-security-policy/fsgroup/src_test.rego | 5 +++++ src/pod-security-policy/host-filesystem/src_test.rego | 5 +++++ src/pod-security-policy/host-namespaces/src_test.rego | 5 +++++ src/pod-security-policy/host-network-ports/src_test.rego | 5 +++++ .../privileged-containers/src_test.rego | 5 +++++ src/pod-security-policy/proc-mount/src_test.rego | 5 +++++ .../read-only-root-filesystem/src_test.rego | 5 +++++ src/pod-security-policy/selinux/src_test.rego | 5 +++++ src/pod-security-policy/users/src_test.rego | 7 +++++-- src/pod-security-policy/volumes/src_test.rego | 6 ++++++ 17 files changed, 93 insertions(+), 2 deletions(-) diff --git a/src/general/automount-serviceaccount-token/src_test.rego b/src/general/automount-serviceaccount-token/src_test.rego index 5c3075dec..ec2c75ea2 100644 --- a/src/general/automount-serviceaccount-token/src_test.rego +++ b/src/general/automount-serviceaccount-token/src_test.rego @@ -18,6 +18,12 @@ test_input_pod_automountserviceaccounttoken_not_defined { count(results) > 0 } +test_update { + input := {"review": object.union(input_review_enabled_automountserviceaccounttoken, {"operation": "UPDATE"})} + results := violation with input as input + count(results) == 0 +} + input_review_disabled_automountserviceaccounttoken = {"object": { "metadata": {"name": "nginx"}, "spec": { diff --git a/src/general/ephemeralstoragelimit/src_test.rego b/src/general/ephemeralstoragelimit/src_test.rego index bcd4625b6..c2ede0c4d 100644 --- a/src/general/ephemeralstoragelimit/src_test.rego +++ b/src/general/ephemeralstoragelimit/src_test.rego @@ -147,6 +147,11 @@ test_input_violations_eph_Ei_with_exemption { results := violation with input as input count(results) == 0 } +test_update { + input := {"review": object.union(review([ctr("a", 4096)]), {"operation": "UPDATE"}), "parameters": {"ephemeral-storage": "2048"}} + results := violation with input as input + count(results) == 0 +} review(containers) = output { output = { diff --git a/src/general/requiredprobes/src_test.rego b/src/general/requiredprobes/src_test.rego index a860b2e46..0ad2676e2 100644 --- a/src/general/requiredprobes/src_test.rego +++ b/src/general/requiredprobes/src_test.rego @@ -335,6 +335,14 @@ test_two_ctrs_empty_liveness_in_ctr_two_both_empty_probes_in_ctr_one { count(results) == 3 } +test_update { + kind := kinds[_] + input := {"review": object.union(review([{"name": "my-container","image": "my-image:latest", "livenessProbe": {"tcpSocket": {"port":80}}}]), {"operation": "UPDATE"}), + "parameters": parameters} + results := violation with input as input + count(results) == 0 +} + review(containers) = obj { obj = { "kind": { diff --git a/src/pod-security-policy/allow-privilege-escalation/src_test.rego b/src/pod-security-policy/allow-privilege-escalation/src_test.rego index bd3fa88e7..a8e380d1f 100644 --- a/src/pod-security-policy/allow-privilege-escalation/src_test.rego +++ b/src/pod-security-policy/allow-privilege-escalation/src_test.rego @@ -40,6 +40,11 @@ test_input_container_many_mixed_privilege_escalation_not_allowed_two { results := violation with input as input count(results) == 2 } +test_update { + input := { "review": object.union(input_review_priv, {"operation": "UPDATE"})} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/capabilities/src_test.rego b/src/pod-security-policy/capabilities/src_test.rego index 4de431a5d..6158a3eea 100644 --- a/src/pod-security-policy/capabilities/src_test.rego +++ b/src/pod-security-policy/capabilities/src_test.rego @@ -134,6 +134,12 @@ test_input_drop_literal_all_x2 { count(results) == 0 } +test_update { + input := { "review": object.union(input_review([cadd(["one"])]), {"operation": "UPDATE"}), "parameters": {"allowedCapabilities": []}} + results := violation with input as input + count(results) == 0 +} + # init containers test_input_all_allowed { input := { "review": input_init_review([cadd(["one", "two"])]), "parameters": {"allowedCapabilities": ["*"]}} diff --git a/src/pod-security-policy/flexvolume-drivers/src_test.rego b/src/pod-security-policy/flexvolume-drivers/src_test.rego index 590ee49a0..3b8eb69be 100644 --- a/src/pod-security-policy/flexvolume-drivers/src_test.rego +++ b/src/pod-security-policy/flexvolume-drivers/src_test.rego @@ -54,6 +54,12 @@ test_input_flexvolume_many_mixed_allowed { count(results) == 1 } +test_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_empty} + results := violation with input as input + count(results) == 0 +} + input_review = { "object": { "metadata": { diff --git a/src/pod-security-policy/forbidden-sysctls/src_test.rego b/src/pod-security-policy/forbidden-sysctls/src_test.rego index 5a299028d..d2bd78027 100644 --- a/src/pod-security-policy/forbidden-sysctls/src_test.rego +++ b/src/pod-security-policy/forbidden-sysctls/src_test.rego @@ -153,6 +153,12 @@ test_input_sysctls_allowed_and_forbidden { count(results) == 2 } +test_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_wildcard} + results := violation with input as input + count(results) == 0 +} + input_review = { "object": { "metadata": { diff --git a/src/pod-security-policy/fsgroup/src_test.rego b/src/pod-security-policy/fsgroup/src_test.rego index ca3c1910f..51fcf59f7 100644 --- a/src/pod-security-policy/fsgroup/src_test.rego +++ b/src/pod-security-policy/fsgroup/src_test.rego @@ -50,6 +50,11 @@ test_input_securitycontext_no_fsgroup_MayRunAs_allowed { results := violation with input as input count(results) == 0 } +test_update { + input := { "review": object.union(input_review_with_fsgroup, {"operation": "UPDATE"}), "parameters": input_parameters_in_list_mustrunas_outofrange} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/host-filesystem/src_test.rego b/src/pod-security-policy/host-filesystem/src_test.rego index 764f1c6bf..1e85733c3 100644 --- a/src/pod-security-policy/host-filesystem/src_test.rego +++ b/src/pod-security-policy/host-filesystem/src_test.rego @@ -105,6 +105,11 @@ test_input_hostpath_allowed_mixed_writable_mixed_parameters { results := violation with input as input count(results) == 0 } +test_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_empty} + results := violation with input as input + count(results) == 0 +} # Init Containers diff --git a/src/pod-security-policy/host-namespaces/src_test.rego b/src/pod-security-policy/host-namespaces/src_test.rego index dab022864..f5c13e774 100644 --- a/src/pod-security-policy/host-namespaces/src_test.rego +++ b/src/pod-security-policy/host-namespaces/src_test.rego @@ -20,6 +20,11 @@ test_input_hostnamespace_both_not_allowed { results := violation with input as input count(results) > 0 } +test_update { + input := { "review": object.union(input_review_hostPID, {"operation": "UPDATE"})} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/host-network-ports/src_test.rego b/src/pod-security-policy/host-network-ports/src_test.rego index b467c6aa3..0e54e11d4 100644 --- a/src/pod-security-policy/host-network-ports/src_test.rego +++ b/src/pod-security-policy/host-network-ports/src_test.rego @@ -41,6 +41,11 @@ test_input_with_hostnetwork_container_ports_not_allowed_but_exempt { trace(sprintf("%v", [results])) count(results) == 0 } +test_update { + input := { "review": object.union(input_review_no_hostnetwork_container_ports_outofrange, {"operation": "UPDATE"}), "parameters": input_parameters_ports} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/privileged-containers/src_test.rego b/src/pod-security-policy/privileged-containers/src_test.rego index 0e25bd07d..4c1a462a2 100644 --- a/src/pod-security-policy/privileged-containers/src_test.rego +++ b/src/pod-security-policy/privileged-containers/src_test.rego @@ -30,6 +30,11 @@ test_input_container_many_mixed_privileged_not_allowed_two_but_exempt { results := violation with input as input count(results) == 0 } +test_update { + input := { "review": object.union(input_review_priv, {"operation": "UPDATE"})} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/proc-mount/src_test.rego b/src/pod-security-policy/proc-mount/src_test.rego index 4488109c1..32452d8fb 100644 --- a/src/pod-security-policy/proc-mount/src_test.rego +++ b/src/pod-security-policy/proc-mount/src_test.rego @@ -65,6 +65,11 @@ test_input_container_many_mixed_proc_mount_allowed_two { results := violation with input as input count(results) == 0 } +test_update { + input := { "review": object.union(input_review_unmasked, {"operation": "UPDATE"}), "parameters": input_parameters_default} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/read-only-root-filesystem/src_test.rego b/src/pod-security-policy/read-only-root-filesystem/src_test.rego index da3baf3e4..348613859 100644 --- a/src/pod-security-policy/read-only-root-filesystem/src_test.rego +++ b/src/pod-security-policy/read-only-root-filesystem/src_test.rego @@ -25,6 +25,11 @@ test_input_container_many_mixed_readonlyrootfilesystem_not_allowed_two_but_exemp results := violation with input as input count(results) == 0 } +test_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"})} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/selinux/src_test.rego b/src/pod-security-policy/selinux/src_test.rego index eb9aa218b..8d796e8c7 100644 --- a/src/pod-security-policy/selinux/src_test.rego +++ b/src/pod-security-policy/selinux/src_test.rego @@ -133,6 +133,11 @@ test_input_seLinux_options_many_not_allowed_not_in_list_double_seccontext { count(results) == 3 } +test_input_seLinux_options_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_in_list_subset} + results := violation with input as input + count(results) == 0 +} input_review = { "object": { diff --git a/src/pod-security-policy/users/src_test.rego b/src/pod-security-policy/users/src_test.rego index 1fbb9ecc3..6e5979c87 100644 --- a/src/pod-security-policy/users/src_test.rego +++ b/src/pod-security-policy/users/src_test.rego @@ -812,8 +812,11 @@ test_mixed_container_level_all_defined_mixed_in_range_mixed_rules { count(results) == 1 } - - +test_update { + input := {"review": object.union(review(null, [ctr("cont1", run_as_rule(150, 150, null, null))], null), {"operation": "UPDATE"}), "parameters": mixed_all_rules } + results := violation with input as input + count(results) == 0 +} ## Functions ## diff --git a/src/pod-security-policy/volumes/src_test.rego b/src/pod-security-policy/volumes/src_test.rego index 81ba9effd..841e79bf8 100644 --- a/src/pod-security-policy/volumes/src_test.rego +++ b/src/pod-security-policy/volumes/src_test.rego @@ -67,6 +67,12 @@ test_input_volume_type_allowed_in_list_many_volumes_mixed { count(results) == 1 } +test_input_volume_type_update { + input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_empty} + results := violation with input as input + count(results) == 0 +} + input_review = { "object": { "metadata": { From 8f15c36cab91d651205f62e9196939d9e1c303ff Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Wed, 2 Aug 2023 18:52:20 +0900 Subject: [PATCH 07/11] Add tests for constraints Signed-off-by: Hidehito Yabuuchi --- .../update.yaml | 16 +++++++++ .../automount-serviceaccount-token/suite.yaml | 4 +++ .../update.yaml | 24 +++++++++++++ .../general/ephemeralstoragelimit/suite.yaml | 4 +++ .../samples/must-have-probes/update.yaml | 35 +++++++++++++++++++ library/general/requiredprobes/suite.yaml | 4 +++ .../update.yaml | 17 +++++++++ .../allow-privilege-escalation/suite.yaml | 4 +++ .../samples/capabilities-demo/update.yaml | 26 ++++++++++++++ .../capabilities/suite.yaml | 4 +++ .../psp-flexvolume-drivers/update.yaml | 23 ++++++++++++ .../flexvolume-drivers/suite.yaml | 4 +++ .../samples/psp-forbidden-sysctls/update.yaml | 21 +++++++++++ .../forbidden-sysctls/suite.yaml | 4 +++ .../fsgroup/samples/psp-fsgroup/update.yaml | 22 ++++++++++++ .../pod-security-policy/fsgroup/suite.yaml | 4 +++ .../samples/psp-host-filesystem/update.yaml | 23 ++++++++++++ .../host-filesystem/suite.yaml | 4 +++ .../samples/psp-host-namespace/update.yaml | 17 +++++++++ .../host-namespaces/suite.yaml | 4 +++ .../psp-host-network-ports/update.yaml | 19 ++++++++++ .../host-network-ports/suite.yaml | 4 +++ .../psp-privileged-container/update.yaml | 17 +++++++++ .../privileged-containers/suite.yaml | 4 +++ .../samples/psp-proc-mount/update.yaml | 17 +++++++++ .../pod-security-policy/proc-mount/suite.yaml | 4 +++ .../psp-readonlyrootfilesystem/update.yaml | 17 +++++++++ .../read-only-root-filesystem/suite.yaml | 4 +++ .../samples/psp-selinux-v2/update.yaml | 21 +++++++++++ .../pod-security-policy/selinux/suite.yaml | 4 +++ .../psp-pods-allowed-user-ranges/update.yaml | 22 ++++++++++++ library/pod-security-policy/users/suite.yaml | 4 +++ .../samples/psp-volume-types/update.yaml | 29 +++++++++++++++ .../pod-security-policy/volumes/suite.yaml | 4 +++ 34 files changed, 434 insertions(+) create mode 100644 library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml create mode 100644 library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml create mode 100644 library/general/requiredprobes/samples/must-have-probes/update.yaml create mode 100644 library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml create mode 100644 library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml create mode 100644 library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml create mode 100644 library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml create mode 100644 library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml create mode 100644 library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml create mode 100644 library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml create mode 100644 library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml create mode 100644 library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml create mode 100644 library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml create mode 100644 library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml create mode 100644 library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml create mode 100644 library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml create mode 100644 library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml diff --git a/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml b/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml new file mode 100644 index 000000000..0e9030f27 --- /dev/null +++ b/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml @@ -0,0 +1,16 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-automountserviceaccounttoken-update + labels: + app: nginx-automountserviceaccounttoken + spec: + automountServiceAccountToken: true + containers: + - name: nginx + image: nginx diff --git a/library/general/automount-serviceaccount-token/suite.yaml b/library/general/automount-serviceaccount-token/suite.yaml index 2cbc9064f..cf257d08f 100644 --- a/library/general/automount-serviceaccount-token/suite.yaml +++ b/library/general/automount-serviceaccount-token/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/automount-serviceaccount-token/example_disallowed.yaml assertions: - violations: yes + - name: update + object: samples/automount-serviceaccount-token/update.yaml + assertions: + - violations: no diff --git a/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml b/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml new file mode 100644 index 000000000..c0ff27893 --- /dev/null +++ b/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml @@ -0,0 +1,24 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "1Pi" diff --git a/library/general/ephemeralstoragelimit/suite.yaml b/library/general/ephemeralstoragelimit/suite.yaml index f76b15f06..3d58b3dab 100644 --- a/library/general/ephemeralstoragelimit/suite.yaml +++ b/library/general/ephemeralstoragelimit/suite.yaml @@ -27,3 +27,7 @@ tests: object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml assertions: - violations: yes + - name: ephemeral-storage-limit-update + object: samples/container-must-have-ephemeral-storage-limit/update.yaml + assertions: + - violations: no \ No newline at end of file diff --git a/library/general/requiredprobes/samples/must-have-probes/update.yaml b/library/general/requiredprobes/samples/must-have-probes/update.yaml new file mode 100644 index 000000000..ff5e91103 --- /dev/null +++ b/library/general/requiredprobes/samples/must-have-probes/update.yaml @@ -0,0 +1,35 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: test-pod1 + spec: + containers: + - name: nginx-1 + image: nginx:1.7.9 + ports: + - containerPort: 80 + livenessProbe: + # tcpSocket: + # port: 80 + # initialDelaySeconds: 5 + # periodSeconds: 10 + volumeMounts: + - mountPath: /tmp/cache + name: cache-volume + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} diff --git a/library/general/requiredprobes/suite.yaml b/library/general/requiredprobes/suite.yaml index 8e8629a92..86c2a229e 100644 --- a/library/general/requiredprobes/suite.yaml +++ b/library/general/requiredprobes/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/must-have-probes/example_disallowed2.yaml assertions: - violations: yes + - name: update + object: samples/must-have-probes/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml b/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml new file mode 100644 index 000000000..a79d40a1b --- /dev/null +++ b/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation + spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: true diff --git a/library/pod-security-policy/allow-privilege-escalation/suite.yaml b/library/pod-security-policy/allow-privilege-escalation/suite.yaml index 0c65f18f7..cd7531cfa 100644 --- a/library/pod-security-policy/allow-privilege-escalation/suite.yaml +++ b/library/pod-security-policy/allow-privilege-escalation/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-allow-privilege-escalation-container/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml b/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml new file mode 100644 index 000000000..df8ea0070 --- /dev/null +++ b/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml @@ -0,0 +1,26 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["disallowedcapability"] + resources: + limits: + cpu: "100m" + memory: "30Mi" diff --git a/library/pod-security-policy/capabilities/suite.yaml b/library/pod-security-policy/capabilities/suite.yaml index 8f7386e1c..29a207c25 100644 --- a/library/pod-security-policy/capabilities/suite.yaml +++ b/library/pod-security-policy/capabilities/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/capabilities-demo/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/capabilities-demo/update.yaml + assertions: + - violations: no \ No newline at end of file diff --git a/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml b/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml new file mode 100644 index 000000000..9358c6c5c --- /dev/null +++ b/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml @@ -0,0 +1,23 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-flexvolume-driver-disallowed + labels: + app: nginx-flexvolume-driver + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /test + name: test-volume + readOnly: true + volumes: + - name: test-volume + flexVolume: + driver: "example/testdriver" #"example/lvm" diff --git a/library/pod-security-policy/flexvolume-drivers/suite.yaml b/library/pod-security-policy/flexvolume-drivers/suite.yaml index 1f4a4ef75..fe69966bd 100644 --- a/library/pod-security-policy/flexvolume-drivers/suite.yaml +++ b/library/pod-security-policy/flexvolume-drivers/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-flexvolume-drivers/example_disallowed.yaml assertions: - violations: yes + - name: update + object: samples/psp-flexvolume-drivers/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml new file mode 100644 index 000000000..e4e732be9 --- /dev/null +++ b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml @@ -0,0 +1,21 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls + spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: kernel.msgmax + value: "65536" + - name: net.core.somaxconn + value: "1024" diff --git a/library/pod-security-policy/forbidden-sysctls/suite.yaml b/library/pod-security-policy/forbidden-sysctls/suite.yaml index bcc4caaae..d00f85b8b 100644 --- a/library/pod-security-policy/forbidden-sysctls/suite.yaml +++ b/library/pod-security-policy/forbidden-sysctls/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-forbidden-sysctls/example_allowed.yaml assertions: - violations: no + - name: update + object: samples/psp-forbidden-sysctls/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml b/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml new file mode 100644 index 000000000..c0de7258a --- /dev/null +++ b/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml @@ -0,0 +1,22 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: fsgroup-disallowed + spec: + securityContext: + fsGroup: 2000 # directory will have group ID 2000 + volumes: + - name: fsgroup-demo-vol + emptyDir: {} + containers: + - name: fsgroup-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: fsgroup-demo-vol + mountPath: /data/demo diff --git a/library/pod-security-policy/fsgroup/suite.yaml b/library/pod-security-policy/fsgroup/suite.yaml index f24cb6a35..cb102e785 100644 --- a/library/pod-security-policy/fsgroup/suite.yaml +++ b/library/pod-security-policy/fsgroup/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-fsgroup/example_allowed.yaml assertions: - violations: no + - name: update + object: samples/psp-fsgroup/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml b/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml new file mode 100644 index 000000000..68b28a536 --- /dev/null +++ b/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml @@ -0,0 +1,23 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host diff --git a/library/pod-security-policy/host-filesystem/suite.yaml b/library/pod-security-policy/host-filesystem/suite.yaml index ec28e4ffc..5441df8cc 100644 --- a/library/pod-security-policy/host-filesystem/suite.yaml +++ b/library/pod-security-policy/host-filesystem/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-host-filesystem/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-host-filesystem/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml b/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml new file mode 100644 index 000000000..29e17f13a --- /dev/null +++ b/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-namespace-disallowed + labels: + app: nginx-host-namespace + spec: + hostPID: true + hostIPC: true + containers: + - name: nginx + image: nginx diff --git a/library/pod-security-policy/host-namespaces/suite.yaml b/library/pod-security-policy/host-namespaces/suite.yaml index d274351ff..b8e853d5f 100644 --- a/library/pod-security-policy/host-namespaces/suite.yaml +++ b/library/pod-security-policy/host-namespaces/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-host-namespace/example_disallowed.yaml assertions: - violations: yes + - name: update + object: samples/psp-host-namespace/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml new file mode 100644 index 000000000..231096430 --- /dev/null +++ b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml @@ -0,0 +1,19 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports + spec: + hostNetwork: true + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/library/pod-security-policy/host-network-ports/suite.yaml b/library/pod-security-policy/host-network-ports/suite.yaml index 86593fc9d..710df69eb 100644 --- a/library/pod-security-policy/host-network-ports/suite.yaml +++ b/library/pod-security-policy/host-network-ports/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-host-network-ports/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-host-network-ports/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml new file mode 100644 index 000000000..08f36044c --- /dev/null +++ b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged + spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/library/pod-security-policy/privileged-containers/suite.yaml b/library/pod-security-policy/privileged-containers/suite.yaml index 593f96015..c2e484fc5 100644 --- a/library/pod-security-policy/privileged-containers/suite.yaml +++ b/library/pod-security-policy/privileged-containers/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-privileged-container/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-privileged-container/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml new file mode 100644 index 000000000..dc21b1142 --- /dev/null +++ b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount + spec: + containers: + - name: nginx + image: nginx + securityContext: + procMount: Unmasked #Default diff --git a/library/pod-security-policy/proc-mount/suite.yaml b/library/pod-security-policy/proc-mount/suite.yaml index 26dd5eb0a..501493e14 100644 --- a/library/pod-security-policy/proc-mount/suite.yaml +++ b/library/pod-security-policy/proc-mount/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-proc-mount/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-proc-mount/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml b/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml new file mode 100644 index 000000000..b31ae5e3a --- /dev/null +++ b/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem + spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/library/pod-security-policy/read-only-root-filesystem/suite.yaml b/library/pod-security-policy/read-only-root-filesystem/suite.yaml index 4df3de82f..db736886f 100644 --- a/library/pod-security-policy/read-only-root-filesystem/suite.yaml +++ b/library/pod-security-policy/read-only-root-filesystem/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-readonlyrootfilesystem/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml b/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml new file mode 100644 index 000000000..581419e9d --- /dev/null +++ b/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml @@ -0,0 +1,21 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-selinux-disallowed + labels: + app: nginx-selinux + spec: + containers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s1:c234,c567 + user: sysadm_u + role: sysadm_r + type: svirt_lxc_net_t diff --git a/library/pod-security-policy/selinux/suite.yaml b/library/pod-security-policy/selinux/suite.yaml index f35a2f6a7..1bbaf360e 100644 --- a/library/pod-security-policy/selinux/suite.yaml +++ b/library/pod-security-policy/selinux/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-selinux-v2/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-selinux-v2/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml b/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml new file mode 100644 index 000000000..6f4d3ed72 --- /dev/null +++ b/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml @@ -0,0 +1,22 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-users-disallowed + labels: + app: nginx-users + spec: + securityContext: + supplementalGroups: + - 250 + fsGroup: 250 + containers: + - name: nginx + image: nginx + securityContext: + runAsUser: 250 + runAsGroup: 250 diff --git a/library/pod-security-policy/users/suite.yaml b/library/pod-security-policy/users/suite.yaml index 20528f68c..5c6e49640 100644 --- a/library/pod-security-policy/users/suite.yaml +++ b/library/pod-security-policy/users/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-pods-allowed-user-ranges/update.yaml + assertions: + - violations: no diff --git a/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml b/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml new file mode 100644 index 000000000..f25f07267 --- /dev/null +++ b/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml @@ -0,0 +1,29 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-volume-types-disallowed + labels: + app: nginx-volume-types + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + - name: nginx2 + image: nginx + volumeMounts: + - mountPath: /cache2 + name: demo-vol + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host + - name: demo-vol + emptyDir: {} diff --git a/library/pod-security-policy/volumes/suite.yaml b/library/pod-security-policy/volumes/suite.yaml index b8f91b5a4..083aad6eb 100644 --- a/library/pod-security-policy/volumes/suite.yaml +++ b/library/pod-security-policy/volumes/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-volume-types/example_allowed.yaml assertions: - violations: no + - name: update + object: samples/psp-volume-types/update.yaml + assertions: + - violations: no From b2401a193fc3d9fee11fff34b797b719f02d5d83 Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Wed, 2 Aug 2023 18:57:24 +0900 Subject: [PATCH 08/11] make generate-all Signed-off-by: Hidehito Yabuuchi --- .../update.yaml | 16 ++++++ .../1.0.1/suite.yaml | 4 ++ .../update.yaml | 24 +++++++++ .../ephemeralstoragelimit/1.0.1/suite.yaml | 4 ++ .../samples/must-have-probes/update.yaml | 35 +++++++++++++ .../general/requiredprobes/1.0.1/suite.yaml | 4 ++ .../update.yaml | 17 +++++++ .../1.0.1/suite.yaml | 4 ++ .../samples/capabilities-demo/update.yaml | 26 ++++++++++ .../capabilities/1.0.1/suite.yaml | 4 ++ .../psp-flexvolume-drivers/update.yaml | 23 +++++++++ .../flexvolume-drivers/1.0.1/suite.yaml | 4 ++ .../samples/psp-forbidden-sysctls/update.yaml | 21 ++++++++ .../forbidden-sysctls/1.1.2/suite.yaml | 4 ++ .../1.0.1/samples/psp-fsgroup/update.yaml | 22 +++++++++ .../fsgroup/1.0.1/suite.yaml | 4 ++ .../samples/psp-host-filesystem/update.yaml | 23 +++++++++ .../host-filesystem/1.0.1/suite.yaml | 4 ++ .../samples/psp-host-namespace/update.yaml | 17 +++++++ .../host-namespaces/1.0.1/suite.yaml | 4 ++ .../psp-host-network-ports/update.yaml | 19 +++++++ .../host-network-ports/1.0.1/suite.yaml | 4 ++ .../psp-privileged-container/update.yaml | 17 +++++++ .../privileged-containers/1.0.1/suite.yaml | 4 ++ .../1.0.2/samples/psp-proc-mount/update.yaml | 17 +++++++ .../proc-mount/1.0.2/suite.yaml | 4 ++ .../psp-readonlyrootfilesystem/update.yaml | 17 +++++++ .../1.0.1/suite.yaml | 4 ++ .../1.0.1/samples/psp-selinux-v2/update.yaml | 21 ++++++++ .../selinux/1.0.1/suite.yaml | 4 ++ .../psp-pods-allowed-user-ranges/update.yaml | 22 +++++++++ .../users/1.0.1/suite.yaml | 4 ++ .../samples/psp-volume-types/update.yaml | 29 +++++++++++ .../volumes/1.0.1/suite.yaml | 4 ++ .../validation/allow-privilege-escalation.md | 31 ++++++++++++ .../automount-serviceaccount-token.md | 30 ++++++++++++ website/docs/validation/capabilities.md | 40 +++++++++++++++ .../docs/validation/ephemeralstoragelimit.md | 38 ++++++++++++++ website/docs/validation/flexvolume-drivers.md | 37 ++++++++++++++ website/docs/validation/forbidden-sysctls.md | 35 +++++++++++++ website/docs/validation/fsgroup.md | 36 ++++++++++++++ website/docs/validation/host-filesystem.md | 37 ++++++++++++++ website/docs/validation/host-namespaces.md | 31 ++++++++++++ website/docs/validation/host-network-ports.md | 33 +++++++++++++ .../docs/validation/privileged-containers.md | 31 ++++++++++++ website/docs/validation/proc-mount.md | 31 ++++++++++++ .../validation/read-only-root-filesystem.md | 31 ++++++++++++ website/docs/validation/requiredprobes.md | 49 +++++++++++++++++++ website/docs/validation/selinux.md | 35 +++++++++++++ website/docs/validation/users.md | 36 ++++++++++++++ website/docs/validation/volumes.md | 43 ++++++++++++++++ 51 files changed, 1038 insertions(+) create mode 100644 artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml create mode 100644 artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml create mode 100644 artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/update.yaml create mode 100644 artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/update.yaml create mode 100644 artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/update.yaml create mode 100644 artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/update.yaml create mode 100644 artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/update.yaml create mode 100644 artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/update.yaml create mode 100644 artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/update.yaml create mode 100644 artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/update.yaml create mode 100644 artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/update.yaml create mode 100644 artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/update.yaml create mode 100644 artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/update.yaml create mode 100644 artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/update.yaml create mode 100644 artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/update.yaml create mode 100644 artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/update.yaml create mode 100644 artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/update.yaml diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml new file mode 100644 index 000000000..0e9030f27 --- /dev/null +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml @@ -0,0 +1,16 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-automountserviceaccounttoken-update + labels: + app: nginx-automountserviceaccounttoken + spec: + automountServiceAccountToken: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml index 2cbc9064f..cf257d08f 100644 --- a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/automount-serviceaccount-token/example_disallowed.yaml assertions: - violations: yes + - name: update + object: samples/automount-serviceaccount-token/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml new file mode 100644 index 000000000..c0ff27893 --- /dev/null +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml @@ -0,0 +1,24 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "1Pi" diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml index f76b15f06..3d58b3dab 100644 --- a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml @@ -27,3 +27,7 @@ tests: object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml assertions: - violations: yes + - name: ephemeral-storage-limit-update + object: samples/container-must-have-ephemeral-storage-limit/update.yaml + assertions: + - violations: no \ No newline at end of file diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/update.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/update.yaml new file mode 100644 index 000000000..ff5e91103 --- /dev/null +++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/update.yaml @@ -0,0 +1,35 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: test-pod1 + spec: + containers: + - name: nginx-1 + image: nginx:1.7.9 + ports: + - containerPort: 80 + livenessProbe: + # tcpSocket: + # port: 80 + # initialDelaySeconds: 5 + # periodSeconds: 10 + volumeMounts: + - mountPath: /tmp/cache + name: cache-volume + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} diff --git a/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml b/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml index 8e8629a92..86c2a229e 100644 --- a/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml +++ b/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/must-have-probes/example_disallowed2.yaml assertions: - violations: yes + - name: update + object: samples/must-have-probes/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/update.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/update.yaml new file mode 100644 index 000000000..a79d40a1b --- /dev/null +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation + spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: true diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml index 0c65f18f7..cd7531cfa 100644 --- a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-allow-privilege-escalation-container/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/update.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/update.yaml new file mode 100644 index 000000000..df8ea0070 --- /dev/null +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/update.yaml @@ -0,0 +1,26 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["disallowedcapability"] + resources: + limits: + cpu: "100m" + memory: "30Mi" diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml index 8f7386e1c..29a207c25 100644 --- a/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/capabilities-demo/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/capabilities-demo/update.yaml + assertions: + - violations: no \ No newline at end of file diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/update.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/update.yaml new file mode 100644 index 000000000..9358c6c5c --- /dev/null +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/update.yaml @@ -0,0 +1,23 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-flexvolume-driver-disallowed + labels: + app: nginx-flexvolume-driver + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /test + name: test-volume + readOnly: true + volumes: + - name: test-volume + flexVolume: + driver: "example/testdriver" #"example/lvm" diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml index 1f4a4ef75..fe69966bd 100644 --- a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-flexvolume-drivers/example_disallowed.yaml assertions: - violations: yes + - name: update + object: samples/psp-flexvolume-drivers/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/update.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/update.yaml new file mode 100644 index 000000000..e4e732be9 --- /dev/null +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/update.yaml @@ -0,0 +1,21 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls + spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: kernel.msgmax + value: "65536" + - name: net.core.somaxconn + value: "1024" diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml index bcc4caaae..d00f85b8b 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-forbidden-sysctls/example_allowed.yaml assertions: - violations: no + - name: update + object: samples/psp-forbidden-sysctls/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/update.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/update.yaml new file mode 100644 index 000000000..c0de7258a --- /dev/null +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/update.yaml @@ -0,0 +1,22 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: fsgroup-disallowed + spec: + securityContext: + fsGroup: 2000 # directory will have group ID 2000 + volumes: + - name: fsgroup-demo-vol + emptyDir: {} + containers: + - name: fsgroup-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: fsgroup-demo-vol + mountPath: /data/demo diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml index f24cb6a35..cb102e785 100644 --- a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-fsgroup/example_allowed.yaml assertions: - violations: no + - name: update + object: samples/psp-fsgroup/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/update.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/update.yaml new file mode 100644 index 000000000..68b28a536 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/update.yaml @@ -0,0 +1,23 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml index ec28e4ffc..5441df8cc 100644 --- a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-host-filesystem/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-host-filesystem/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/update.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/update.yaml new file mode 100644 index 000000000..29e17f13a --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-namespace-disallowed + labels: + app: nginx-host-namespace + spec: + hostPID: true + hostIPC: true + containers: + - name: nginx + image: nginx diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml index d274351ff..b8e853d5f 100644 --- a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-host-namespace/example_disallowed.yaml assertions: - violations: yes + - name: update + object: samples/psp-host-namespace/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/update.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/update.yaml new file mode 100644 index 000000000..231096430 --- /dev/null +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/update.yaml @@ -0,0 +1,19 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports + spec: + hostNetwork: true + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml index 86593fc9d..710df69eb 100644 --- a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-host-network-ports/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-host-network-ports/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/update.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/update.yaml new file mode 100644 index 000000000..08f36044c --- /dev/null +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged + spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: true diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml index 593f96015..c2e484fc5 100644 --- a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-privileged-container/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-privileged-container/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/update.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/update.yaml new file mode 100644 index 000000000..dc21b1142 --- /dev/null +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount + spec: + containers: + - name: nginx + image: nginx + securityContext: + procMount: Unmasked #Default diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml index 26dd5eb0a..501493e14 100644 --- a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-proc-mount/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-proc-mount/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/update.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/update.yaml new file mode 100644 index 000000000..b31ae5e3a --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem + spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml index 4df3de82f..db736886f 100644 --- a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-readonlyrootfilesystem/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/update.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/update.yaml new file mode 100644 index 000000000..581419e9d --- /dev/null +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/update.yaml @@ -0,0 +1,21 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-selinux-disallowed + labels: + app: nginx-selinux + spec: + containers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s1:c234,c567 + user: sysadm_u + role: sysadm_r + type: svirt_lxc_net_t diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml index f35a2f6a7..1bbaf360e 100644 --- a/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-selinux-v2/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-selinux-v2/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/update.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/update.yaml new file mode 100644 index 000000000..6f4d3ed72 --- /dev/null +++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/update.yaml @@ -0,0 +1,22 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-users-disallowed + labels: + app: nginx-users + spec: + securityContext: + supplementalGroups: + - 250 + fsGroup: 250 + containers: + - name: nginx + image: nginx + securityContext: + runAsUser: 250 + runAsGroup: 250 diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml index 20528f68c..5c6e49640 100644 --- a/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml @@ -19,3 +19,7 @@ tests: object: samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml assertions: - violations: yes + - name: update + object: samples/psp-pods-allowed-user-ranges/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/update.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/update.yaml new file mode 100644 index 000000000..f25f07267 --- /dev/null +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/update.yaml @@ -0,0 +1,29 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-volume-types-disallowed + labels: + app: nginx-volume-types + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + - name: nginx2 + image: nginx + volumeMounts: + - mountPath: /cache2 + name: demo-vol + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host + - name: demo-vol + emptyDir: {} diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml index b8f91b5a4..083aad6eb 100644 --- a/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml @@ -15,3 +15,7 @@ tests: object: samples/psp-volume-types/example_allowed.yaml assertions: - violations: no + - name: update + object: samples/psp-volume-types/update.yaml + assertions: + - violations: no diff --git a/website/docs/validation/allow-privilege-escalation.md b/website/docs/validation/allow-privilege-escalation.md index af8af6ec1..c98f6b0bd 100644 --- a/website/docs/validation/allow-privilege-escalation.md +++ b/website/docs/validation/allow-privilege-escalation.md @@ -224,6 +224,37 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation + spec: + containers: + - name: nginx + image: nginx + securityContext: + allowPrivilegeEscalation: true + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml +``` +
diff --git a/website/docs/validation/automount-serviceaccount-token.md b/website/docs/validation/automount-serviceaccount-token.md index a6f4ee7a0..bf2073101 100644 --- a/website/docs/validation/automount-serviceaccount-token.md +++ b/website/docs/validation/automount-serviceaccount-token.md @@ -163,6 +163,36 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/example_disallowed.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-automountserviceaccounttoken-update + labels: + app: nginx-automountserviceaccounttoken + spec: + automountServiceAccountToken: true + containers: + - name: nginx + image: nginx + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml +``` +
diff --git a/website/docs/validation/capabilities.md b/website/docs/validation/capabilities.md index 01801b3ab..5d0d6d6dc 100644 --- a/website/docs/validation/capabilities.md +++ b/website/docs/validation/capabilities.md @@ -319,6 +319,46 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/samples/capabilities-demo/disallowed_ephemeral.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: opa-disallowed + labels: + owner: me.agilebank.demo + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + securityContext: + capabilities: + add: ["disallowedcapability"] + resources: + limits: + cpu: "100m" + memory: "30Mi" + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml +``` +
diff --git a/website/docs/validation/ephemeralstoragelimit.md b/website/docs/validation/ephemeralstoragelimit.md index 45df756d2..f19bcbe70 100644 --- a/website/docs/validation/ephemeralstoragelimit.md +++ b/website/docs/validation/ephemeralstoragelimit.md @@ -473,6 +473,44 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml ``` + +
+ephemeral-storage-limit-update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: opa-allowed + labels: + owner: me.agilebank.demo + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.9.2 + args: + - "run" + - "--server" + - "--addr=localhost:8080" + resources: + limits: + cpu: "100m" + memory: "1Gi" + ephemeral-storage: "1Pi" + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml +``` +
diff --git a/website/docs/validation/flexvolume-drivers.md b/website/docs/validation/flexvolume-drivers.md index bb76d7804..3e6370c3a 100644 --- a/website/docs/validation/flexvolume-drivers.md +++ b/website/docs/validation/flexvolume-drivers.md @@ -186,6 +186,43 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/example_disallowed.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-flexvolume-driver-disallowed + labels: + app: nginx-flexvolume-driver + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /test + name: test-volume + readOnly: true + volumes: + - name: test-volume + flexVolume: + driver: "example/testdriver" #"example/lvm" + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml +``` +
diff --git a/website/docs/validation/forbidden-sysctls.md b/website/docs/validation/forbidden-sysctls.md index 9dadbd2f7..3a6f0b2fc 100644 --- a/website/docs/validation/forbidden-sysctls.md +++ b/website/docs/validation/forbidden-sysctls.md @@ -210,6 +210,41 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-forbidden-sysctls-disallowed + labels: + app: nginx-forbidden-sysctls + spec: + containers: + - name: nginx + image: nginx + securityContext: + sysctls: + - name: kernel.msgmax + value: "65536" + - name: net.core.somaxconn + value: "1024" + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml +``` +
diff --git a/website/docs/validation/fsgroup.md b/website/docs/validation/fsgroup.md index ade0a222e..3596757cd 100644 --- a/website/docs/validation/fsgroup.md +++ b/website/docs/validation/fsgroup.md @@ -218,6 +218,42 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/fsgroup/samples/psp-fsgroup/example_allowed.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: fsgroup-disallowed + spec: + securityContext: + fsGroup: 2000 # directory will have group ID 2000 + volumes: + - name: fsgroup-demo-vol + emptyDir: {} + containers: + - name: fsgroup-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: fsgroup-demo-vol + mountPath: /data/demo + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml +``` +
diff --git a/website/docs/validation/host-filesystem.md b/website/docs/validation/host-filesystem.md index 302348b3c..a2b9ed0a1 100644 --- a/website/docs/validation/host-filesystem.md +++ b/website/docs/validation/host-filesystem.md @@ -294,6 +294,43 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/disallowed_ephemeral.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-filesystem + labels: + app: nginx-host-filesystem-disallowed + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + readOnly: true + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml +``` +
diff --git a/website/docs/validation/host-namespaces.md b/website/docs/validation/host-namespaces.md index f371b5c7d..43f0eeaa5 100644 --- a/website/docs/validation/host-namespaces.md +++ b/website/docs/validation/host-namespaces.md @@ -152,6 +152,37 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/example_disallowed.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-namespace-disallowed + labels: + app: nginx-host-namespace + spec: + hostPID: true + hostIPC: true + containers: + - name: nginx + image: nginx + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml +``` +
diff --git a/website/docs/validation/host-network-ports.md b/website/docs/validation/host-network-ports.md index 57fe4cff6..4efbbb48f 100644 --- a/website/docs/validation/host-network-ports.md +++ b/website/docs/validation/host-network-ports.md @@ -252,6 +252,39 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/disallowed_ephemeral.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-host-networking-ports-disallowed + labels: + app: nginx-host-networking-ports + spec: + hostNetwork: true + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9001 + hostPort: 9001 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml +``` +
diff --git a/website/docs/validation/privileged-containers.md b/website/docs/validation/privileged-containers.md index d5cb794e2..2fb244298 100644 --- a/website/docs/validation/privileged-containers.md +++ b/website/docs/validation/privileged-containers.md @@ -217,6 +217,37 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/disallowed_ephemeral.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-privileged-disallowed + labels: + app: nginx-privileged + spec: + containers: + - name: nginx + image: nginx + securityContext: + privileged: true + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml +``` +
diff --git a/website/docs/validation/proc-mount.md b/website/docs/validation/proc-mount.md index ca171545a..00b1373b3 100644 --- a/website/docs/validation/proc-mount.md +++ b/website/docs/validation/proc-mount.md @@ -264,6 +264,37 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/proc-mount/samples/psp-proc-mount/disallowed_ephemeral.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-proc-mount-disallowed + labels: + app: nginx-proc-mount + spec: + containers: + - name: nginx + image: nginx + securityContext: + procMount: Unmasked #Default + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml +``` +
diff --git a/website/docs/validation/read-only-root-filesystem.md b/website/docs/validation/read-only-root-filesystem.md index cab4d1937..fe37dd4f4 100644 --- a/website/docs/validation/read-only-root-filesystem.md +++ b/website/docs/validation/read-only-root-filesystem.md @@ -227,6 +227,37 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem + spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml +``` +
diff --git a/website/docs/validation/requiredprobes.md b/website/docs/validation/requiredprobes.md index 1bfa61b28..6b0852b43 100644 --- a/website/docs/validation/requiredprobes.md +++ b/website/docs/validation/requiredprobes.md @@ -257,6 +257,55 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/requiredprobes/samples/must-have-probes/example_disallowed2.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: test-pod1 + spec: + containers: + - name: nginx-1 + image: nginx:1.7.9 + ports: + - containerPort: 80 + livenessProbe: + # tcpSocket: + # port: 80 + # initialDelaySeconds: 5 + # periodSeconds: 10 + volumeMounts: + - mountPath: /tmp/cache + name: cache-volume + - name: tomcat + image: tomcat + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + volumes: + - name: cache-volume + emptyDir: {} + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/requiredprobes/samples/must-have-probes/update.yaml +``` +
diff --git a/website/docs/validation/selinux.md b/website/docs/validation/selinux.md index 080e4a7d5..6aba45ae6 100644 --- a/website/docs/validation/selinux.md +++ b/website/docs/validation/selinux.md @@ -286,6 +286,41 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/selinux/samples/psp-selinux-v2/disallowed_ephemeral.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-selinux-disallowed + labels: + app: nginx-selinux + spec: + containers: + - name: nginx + image: nginx + securityContext: + seLinuxOptions: + level: s1:c234,c567 + user: sysadm_u + role: sysadm_r + type: svirt_lxc_net_t + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml +``` +
diff --git a/website/docs/validation/users.md b/website/docs/validation/users.md index 49449e200..cd9d3a4ae 100644 --- a/website/docs/validation/users.md +++ b/website/docs/validation/users.md @@ -452,6 +452,42 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-users-disallowed + labels: + app: nginx-users + spec: + securityContext: + supplementalGroups: + - 250 + fsGroup: 250 + containers: + - name: nginx + image: nginx + securityContext: + runAsUser: 250 + runAsGroup: 250 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml +``` +
diff --git a/website/docs/validation/volumes.md b/website/docs/validation/volumes.md index 62de98cb8..d9d41be30 100644 --- a/website/docs/validation/volumes.md +++ b/website/docs/validation/volumes.md @@ -196,6 +196,49 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/volumes/samples/psp-volume-types/example_allowed.yaml ``` + +
+update + +```yaml +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-volume-types-disallowed + labels: + app: nginx-volume-types + spec: + containers: + - name: nginx + image: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + - name: nginx2 + image: nginx + volumeMounts: + - mountPath: /cache2 + name: demo-vol + volumes: + - name: cache-volume + hostPath: + path: /tmp # directory location on host + - name: demo-vol + emptyDir: {} + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml +``` +
From 38fb83489c0b3c38691d243cea914361c5614b67 Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Wed, 13 Sep 2023 11:16:49 +0900 Subject: [PATCH 09/11] Remove unnecessary future.keywords.in import Signed-off-by: Hidehito Yabuuchi --- .../automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml | 2 +- .../general/automount-serviceaccount-token/1.0.1/template.yaml | 2 -- .../general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml | 2 +- .../library/general/ephemeralstoragelimit/1.0.1/template.yaml | 2 -- .../library/general/requiredprobes/1.0.1/artifacthub-pkg.yml | 2 +- artifacthub/library/general/requiredprobes/1.0.1/template.yaml | 2 -- .../allow-privilege-escalation/1.0.1/artifacthub-pkg.yml | 2 +- .../allow-privilege-escalation/1.0.1/template.yaml | 2 -- .../pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml | 2 +- .../pod-security-policy/capabilities/1.0.1/template.yaml | 2 -- .../flexvolume-drivers/1.0.1/artifacthub-pkg.yml | 2 +- .../pod-security-policy/flexvolume-drivers/1.0.1/template.yaml | 2 -- .../forbidden-sysctls/1.1.2/artifacthub-pkg.yml | 2 +- .../pod-security-policy/forbidden-sysctls/1.1.2/template.yaml | 2 -- .../pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml | 2 +- .../library/pod-security-policy/fsgroup/1.0.1/template.yaml | 2 -- .../host-filesystem/1.0.1/artifacthub-pkg.yml | 2 +- .../pod-security-policy/host-filesystem/1.0.1/template.yaml | 2 -- .../host-namespaces/1.0.1/artifacthub-pkg.yml | 2 +- .../pod-security-policy/host-namespaces/1.0.1/template.yaml | 2 -- .../host-network-ports/1.0.1/artifacthub-pkg.yml | 2 +- .../pod-security-policy/host-network-ports/1.0.1/template.yaml | 2 -- .../privileged-containers/1.0.1/artifacthub-pkg.yml | 2 +- .../privileged-containers/1.0.1/template.yaml | 2 -- .../pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml | 2 +- .../library/pod-security-policy/proc-mount/1.0.2/template.yaml | 2 -- .../read-only-root-filesystem/1.0.1/artifacthub-pkg.yml | 2 +- .../read-only-root-filesystem/1.0.1/template.yaml | 2 -- .../pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml | 2 +- .../library/pod-security-policy/selinux/1.0.1/template.yaml | 2 -- .../library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml | 2 +- .../library/pod-security-policy/users/1.0.1/template.yaml | 2 -- .../pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml | 2 +- .../library/pod-security-policy/volumes/1.0.1/template.yaml | 2 -- library/general/automount-serviceaccount-token/template.yaml | 2 -- library/general/ephemeralstoragelimit/template.yaml | 2 -- library/general/requiredprobes/template.yaml | 2 -- .../allow-privilege-escalation/template.yaml | 2 -- library/pod-security-policy/capabilities/template.yaml | 2 -- library/pod-security-policy/flexvolume-drivers/template.yaml | 2 -- library/pod-security-policy/forbidden-sysctls/template.yaml | 2 -- library/pod-security-policy/fsgroup/template.yaml | 2 -- library/pod-security-policy/host-filesystem/template.yaml | 2 -- library/pod-security-policy/host-namespaces/template.yaml | 2 -- library/pod-security-policy/host-network-ports/template.yaml | 2 -- library/pod-security-policy/privileged-containers/template.yaml | 2 -- library/pod-security-policy/proc-mount/template.yaml | 2 -- .../pod-security-policy/read-only-root-filesystem/template.yaml | 2 -- library/pod-security-policy/selinux/template.yaml | 2 -- library/pod-security-policy/users/template.yaml | 2 -- library/pod-security-policy/volumes/template.yaml | 2 -- .../automount-serviceaccount-token/lib_exclude_update.rego | 2 -- src/general/ephemeralstoragelimit/lib_exclude_update.rego | 2 -- src/general/requiredprobes/lib_exclude_update.rego | 2 -- .../allow-privilege-escalation/lib_exclude_update.rego | 2 -- src/pod-security-policy/capabilities/lib_exclude_update.rego | 2 -- .../flexvolume-drivers/lib_exclude_update.rego | 2 -- .../forbidden-sysctls/lib_exclude_update.rego | 2 -- src/pod-security-policy/fsgroup/lib_exclude_update.rego | 2 -- src/pod-security-policy/host-filesystem/lib_exclude_update.rego | 2 -- src/pod-security-policy/host-namespaces/lib_exclude_update.rego | 2 -- .../host-network-ports/lib_exclude_update.rego | 2 -- .../privileged-containers/lib_exclude_update.rego | 2 -- src/pod-security-policy/proc-mount/lib_exclude_update.rego | 2 -- .../read-only-root-filesystem/lib_exclude_update.rego | 2 -- src/pod-security-policy/selinux/lib_exclude_update.rego | 2 -- src/pod-security-policy/users/lib_exclude_update.rego | 2 -- src/pod-security-policy/volumes/lib_exclude_update.rego | 2 -- src/rego/lib_exclude_update/lib_exclude_update.rego | 2 -- website/docs/validation/allow-privilege-escalation.md | 2 -- website/docs/validation/automount-serviceaccount-token.md | 2 -- website/docs/validation/capabilities.md | 2 -- website/docs/validation/ephemeralstoragelimit.md | 2 -- website/docs/validation/flexvolume-drivers.md | 2 -- website/docs/validation/forbidden-sysctls.md | 2 -- website/docs/validation/fsgroup.md | 2 -- website/docs/validation/host-filesystem.md | 2 -- website/docs/validation/host-namespaces.md | 2 -- website/docs/validation/host-network-ports.md | 2 -- website/docs/validation/privileged-containers.md | 2 -- website/docs/validation/proc-mount.md | 2 -- website/docs/validation/read-only-root-filesystem.md | 2 -- website/docs/validation/requiredprobes.md | 2 -- website/docs/validation/selinux.md | 2 -- website/docs/validation/users.md | 2 -- website/docs/validation/volumes.md | 2 -- 86 files changed, 17 insertions(+), 155 deletions(-) diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml index 7f513076f..e0c4caf20 100644 --- a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspautomountserviceaccounttokenpod displayName: Automount Service Account Token for Pod createdAt: "2023-05-23T09:47:24Z" description: Controls the ability of any Pod to enable automountServiceAccountToken. -digest: 1e55c4d9801d57049bfef336f7f76070c860e7e3fd5a824f971559e205cb7036 +digest: 8b62e4b2324e9e60a66008e6edcc327bcd2b531d3a905f10bf25a1671079ce6e license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/automount-serviceaccount-token keywords: diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml index 1252c949e..82e69ff9c 100644 --- a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml +++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml @@ -61,8 +61,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml index 43425bd1c..d9b57afb0 100644 --- a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml @@ -5,7 +5,7 @@ createdAt: "2023-05-23T09:47:27Z" description: |- Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -digest: bf3a7954950e519148677ae4505ba8997e8cf94214e3fb38878e6ef6324a3f9d +digest: 84077f1dbcdcab9a7c20710e82299995e44294fccdb1a5b9de63fb5a5032a6d8 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/ephemeralstoragelimit keywords: diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml index 01e4b7a65..2f7bf1b2b 100644 --- a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml @@ -207,8 +207,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml index 73baef9e9..e176a3b0d 100644 --- a/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8srequiredprobes displayName: Required Probes createdAt: "2023-05-23T09:47:30Z" description: Requires Pods to have readiness and/or liveness probes. -digest: 55e7fd2c471e761e3530d0e7d2a4a7c0cbe63b957aa219a538c3e05dda6ae377 +digest: 217bec367754aadcce3929828825aca968030e4219045d659553a9cc0173d18d license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/requiredprobes keywords: diff --git a/artifacthub/library/general/requiredprobes/1.0.1/template.yaml b/artifacthub/library/general/requiredprobes/1.0.1/template.yaml index f276dc0d4..4115a6d98 100644 --- a/artifacthub/library/general/requiredprobes/1.0.1/template.yaml +++ b/artifacthub/library/general/requiredprobes/1.0.1/template.yaml @@ -67,8 +67,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml index 7e3bc5480..c9378d2b9 100644 --- a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspallowprivilegeescalationcontainer displayName: Allow Privilege Escalation in Container createdAt: "2023-05-23T09:47:31Z" description: Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation -digest: 975b84d1cde80ad5b55bdfdef77116d8d0d07553d6b9011bb27481bc5fd9c467 +digest: a3c63022c554318dcc9589828a7b135c80740772375b071dfc0625fdaea91f66 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allow-privilege-escalation keywords: diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml index 2c4071bd5..a7f4694a2 100644 --- a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml @@ -75,8 +75,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml index 83d21d195..0ffac5139 100644 --- a/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspcapabilities displayName: Capabilities createdAt: "2023-05-23T09:47:31Z" description: Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities -digest: bf2cc3c37313d3ecd5b7f422475911b4f40fb3235f1812640ea44c99b00b0b43 +digest: 140a62f0c286b67c659beb12c38186e4071495f00d1deca606a9df54c3735c44 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/capabilities keywords: diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml index e23211270..0df32e927 100644 --- a/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml @@ -138,8 +138,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml index 537fa4391..733b22e88 100644 --- a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspflexvolumes displayName: FlexVolumes createdAt: "2023-05-23T09:47:31Z" description: Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers -digest: a680d7804d62ddf9e4c5fa7d2f657d6e4e98ba5a375cc8cecba6ab851963b649 +digest: 72545f834896499ee61b0918b4735e25bc851df1b16a8adcf35b0ca250ca79de license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/flexvolume-drivers keywords: diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml index 88e99f319..c059681c9 100644 --- a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml @@ -67,8 +67,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml index f8ba3e571..48ba046fb 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspforbiddensysctls displayName: Forbidden Sysctls createdAt: "2023-05-23T09:47:31Z" description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ -digest: 6e4e3edc144174b6363e0c3de04d4b9be67306a771c8a4fd7a46229123480b61 +digest: b9b00a75d075d84d4b23066545063969a9dac86717eb62ee5da1861e720f5df2 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls keywords: diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml index 97257f3ad..3d3c1d9a0 100644 --- a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml +++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml @@ -95,8 +95,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml index 33978b4c7..818551a97 100644 --- a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspfsgroup displayName: FS Group createdAt: "2023-05-23T09:47:31Z" description: Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems -digest: 09290360fc2e0c03c012d8d3be2b9d18dc4b7017c108e28bf60592c05db204ce +digest: 18d489cff65194e1ee7963197d4384cbd6b3141e3babfa66aff59b5062e32d35 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/fsgroup keywords: diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml index 189a478d1..d3f56af81 100644 --- a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml @@ -100,8 +100,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml index 26847063e..d417458bf 100644 --- a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spsphostfilesystem displayName: Host Filesystem createdAt: "2023-05-23T09:47:31Z" description: Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems -digest: de1a34191f8482e7326878d0c8f7b653f1d5a2805674cdd4393ee917349ac0a9 +digest: 6ced943cc854322891d2b3021c586562c360c1e02f20bf52ca3032fb4a3da7fd license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-filesystem keywords: diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml index e9bb32441..2ef796fd4 100644 --- a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml @@ -143,8 +143,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml index bf51e675c..2f68f69dc 100644 --- a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spsphostnamespace displayName: Host Namespace createdAt: "2023-05-23T09:47:31Z" description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces -digest: af63ee9b0b61519aa6e3a63f36e41ee56706805e0f04c92e6b21dc98fb08cfc8 +digest: a0e3fc6ed087233e70ae10bdc2a3ee550226207bf2bf7fb4567833710d39bed0 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-namespaces keywords: diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml index 78fd6596f..a8b87e419 100644 --- a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml @@ -49,8 +49,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml index 13eb6c46a..3fe73120d 100644 --- a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spsphostnetworkingports displayName: Host Networking Ports createdAt: "2023-05-23T09:47:31Z" description: Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces -digest: 0032aa648e76385fb05fbd44d525ea97e78ceae87b5b615ec527ba3e9af0c5a2 +digest: 00d1eec4552138ea7eb40a5f24cd8d5ec3b3da5bc7121928d1f66dc899064d86 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-network-ports keywords: diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml index 8db1c2cd3..31a9d9e56 100644 --- a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml @@ -93,8 +93,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml index 4dacb77a0..12b37abb7 100644 --- a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspprivilegedcontainer displayName: Privileged Container createdAt: "2023-05-23T09:47:31Z" description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged -digest: b05a7070b02fa9c2a2eb3a944badd5f42a471382919f8a6a02717faffd212d44 +digest: c8e6071091c7442d217106f83cc8b63cfe3bf48f49196435c5f974ec5cc094d5 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/privileged-containers keywords: diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml index 6ec756011..c552c193d 100644 --- a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml @@ -67,8 +67,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml index d730f0e03..61b7bb380 100644 --- a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspprocmount displayName: Proc Mount createdAt: "2023-05-23T09:47:31Z" description: Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes -digest: 381e044afad0fa50bce39483149badf7bb50650d6df6856c02c2f38dac74dd14 +digest: 9a792a8c5d3a0559d877b673315598390a44d602fc2dcbe7c4f69f734dd94c97 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/proc-mount keywords: diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml index 817a1a0bf..bbf2244da 100644 --- a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml +++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml @@ -113,8 +113,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml index b6cb2d465..76a2fbd74 100644 --- a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspreadonlyrootfilesystem displayName: Read Only Root Filesystem createdAt: "2023-05-23T09:47:31Z" description: Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems -digest: d0639793ce5c44a84c39b94e61196a2c0436f4360b965f502d11287167e56bb6 +digest: b2b009150e5eb99c2746d79e0de085d11b2bddb1c5e0613bdefcc6d27d8a221d license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/read-only-root-filesystem keywords: diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml index 1c449e7c8..bca12eeae 100644 --- a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml @@ -78,8 +78,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml index 0fbe34324..b41f55e84 100644 --- a/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspselinuxv2 displayName: SELinux V2 createdAt: "2023-05-23T09:47:32Z" description: Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux -digest: 232d1380a2a1ee76766387216e260fadc8470e8c4c54af9c901a7ff084adf0e8 +digest: 4b123118ccfaccae4f0f895db926a46e41414e58cd779179a0767c6ab216055d license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/selinux keywords: diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml index e852d08c8..61729eceb 100644 --- a/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml @@ -119,8 +119,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml index 216e467c0..338f2ee94 100644 --- a/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspallowedusers displayName: Allowed Users createdAt: "2023-05-23T09:47:32Z" description: Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups -digest: 4761591b28456c3e59fe2cc21dc5b81a850940f675e8d34bb92f3e07aee9119e +digest: 4145c820284a655c6dfded52eb983df65e0eb5f76c4086e4edf03cbe6da2caf2 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/users keywords: diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml index e94d1ab95..1e572443e 100644 --- a/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml @@ -267,8 +267,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml index d2c67c9c8..2630a20fc 100644 --- a/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8spspvolumetypes displayName: Volume Types createdAt: "2023-05-23T09:47:32Z" description: Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems -digest: a8abd75e02bdecbfc426916b2bd72ce126a865af31f8f9fd8e85b2ef7fecbc16 +digest: 95c71f8cfca302fcc4a122dc7f824884ea1f58d0f13b321b9f00a7976272764e license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/volumes keywords: diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml index 7ecd33144..458cb3178 100644 --- a/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml +++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml @@ -59,8 +59,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/general/automount-serviceaccount-token/template.yaml b/library/general/automount-serviceaccount-token/template.yaml index 1252c949e..82e69ff9c 100644 --- a/library/general/automount-serviceaccount-token/template.yaml +++ b/library/general/automount-serviceaccount-token/template.yaml @@ -61,8 +61,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/general/ephemeralstoragelimit/template.yaml b/library/general/ephemeralstoragelimit/template.yaml index 01e4b7a65..2f7bf1b2b 100644 --- a/library/general/ephemeralstoragelimit/template.yaml +++ b/library/general/ephemeralstoragelimit/template.yaml @@ -207,8 +207,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/general/requiredprobes/template.yaml b/library/general/requiredprobes/template.yaml index f276dc0d4..4115a6d98 100644 --- a/library/general/requiredprobes/template.yaml +++ b/library/general/requiredprobes/template.yaml @@ -67,8 +67,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/allow-privilege-escalation/template.yaml b/library/pod-security-policy/allow-privilege-escalation/template.yaml index 2c4071bd5..a7f4694a2 100644 --- a/library/pod-security-policy/allow-privilege-escalation/template.yaml +++ b/library/pod-security-policy/allow-privilege-escalation/template.yaml @@ -75,8 +75,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/capabilities/template.yaml b/library/pod-security-policy/capabilities/template.yaml index e23211270..0df32e927 100644 --- a/library/pod-security-policy/capabilities/template.yaml +++ b/library/pod-security-policy/capabilities/template.yaml @@ -138,8 +138,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/flexvolume-drivers/template.yaml b/library/pod-security-policy/flexvolume-drivers/template.yaml index 88e99f319..c059681c9 100644 --- a/library/pod-security-policy/flexvolume-drivers/template.yaml +++ b/library/pod-security-policy/flexvolume-drivers/template.yaml @@ -67,8 +67,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/forbidden-sysctls/template.yaml b/library/pod-security-policy/forbidden-sysctls/template.yaml index 97257f3ad..3d3c1d9a0 100644 --- a/library/pod-security-policy/forbidden-sysctls/template.yaml +++ b/library/pod-security-policy/forbidden-sysctls/template.yaml @@ -95,8 +95,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/fsgroup/template.yaml b/library/pod-security-policy/fsgroup/template.yaml index 189a478d1..d3f56af81 100644 --- a/library/pod-security-policy/fsgroup/template.yaml +++ b/library/pod-security-policy/fsgroup/template.yaml @@ -100,8 +100,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/host-filesystem/template.yaml b/library/pod-security-policy/host-filesystem/template.yaml index e9bb32441..2ef796fd4 100644 --- a/library/pod-security-policy/host-filesystem/template.yaml +++ b/library/pod-security-policy/host-filesystem/template.yaml @@ -143,8 +143,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/host-namespaces/template.yaml b/library/pod-security-policy/host-namespaces/template.yaml index 78fd6596f..a8b87e419 100644 --- a/library/pod-security-policy/host-namespaces/template.yaml +++ b/library/pod-security-policy/host-namespaces/template.yaml @@ -49,8 +49,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/host-network-ports/template.yaml b/library/pod-security-policy/host-network-ports/template.yaml index 8db1c2cd3..31a9d9e56 100644 --- a/library/pod-security-policy/host-network-ports/template.yaml +++ b/library/pod-security-policy/host-network-ports/template.yaml @@ -93,8 +93,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/privileged-containers/template.yaml b/library/pod-security-policy/privileged-containers/template.yaml index 6ec756011..c552c193d 100644 --- a/library/pod-security-policy/privileged-containers/template.yaml +++ b/library/pod-security-policy/privileged-containers/template.yaml @@ -67,8 +67,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/proc-mount/template.yaml b/library/pod-security-policy/proc-mount/template.yaml index 817a1a0bf..bbf2244da 100644 --- a/library/pod-security-policy/proc-mount/template.yaml +++ b/library/pod-security-policy/proc-mount/template.yaml @@ -113,8 +113,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/read-only-root-filesystem/template.yaml b/library/pod-security-policy/read-only-root-filesystem/template.yaml index 1c449e7c8..bca12eeae 100644 --- a/library/pod-security-policy/read-only-root-filesystem/template.yaml +++ b/library/pod-security-policy/read-only-root-filesystem/template.yaml @@ -78,8 +78,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/selinux/template.yaml b/library/pod-security-policy/selinux/template.yaml index e852d08c8..61729eceb 100644 --- a/library/pod-security-policy/selinux/template.yaml +++ b/library/pod-security-policy/selinux/template.yaml @@ -119,8 +119,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/users/template.yaml b/library/pod-security-policy/users/template.yaml index e94d1ab95..1e572443e 100644 --- a/library/pod-security-policy/users/template.yaml +++ b/library/pod-security-policy/users/template.yaml @@ -267,8 +267,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/library/pod-security-policy/volumes/template.yaml b/library/pod-security-policy/volumes/template.yaml index 7ecd33144..458cb3178 100644 --- a/library/pod-security-policy/volumes/template.yaml +++ b/library/pod-security-policy/volumes/template.yaml @@ -59,8 +59,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/general/automount-serviceaccount-token/lib_exclude_update.rego b/src/general/automount-serviceaccount-token/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/general/automount-serviceaccount-token/lib_exclude_update.rego +++ b/src/general/automount-serviceaccount-token/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/general/ephemeralstoragelimit/lib_exclude_update.rego b/src/general/ephemeralstoragelimit/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/general/ephemeralstoragelimit/lib_exclude_update.rego +++ b/src/general/ephemeralstoragelimit/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/general/requiredprobes/lib_exclude_update.rego b/src/general/requiredprobes/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/general/requiredprobes/lib_exclude_update.rego +++ b/src/general/requiredprobes/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego +++ b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/capabilities/lib_exclude_update.rego b/src/pod-security-policy/capabilities/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/capabilities/lib_exclude_update.rego +++ b/src/pod-security-policy/capabilities/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego +++ b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego +++ b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/fsgroup/lib_exclude_update.rego b/src/pod-security-policy/fsgroup/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/fsgroup/lib_exclude_update.rego +++ b/src/pod-security-policy/fsgroup/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/host-filesystem/lib_exclude_update.rego b/src/pod-security-policy/host-filesystem/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/host-filesystem/lib_exclude_update.rego +++ b/src/pod-security-policy/host-filesystem/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/host-namespaces/lib_exclude_update.rego b/src/pod-security-policy/host-namespaces/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/host-namespaces/lib_exclude_update.rego +++ b/src/pod-security-policy/host-namespaces/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/host-network-ports/lib_exclude_update.rego b/src/pod-security-policy/host-network-ports/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/host-network-ports/lib_exclude_update.rego +++ b/src/pod-security-policy/host-network-ports/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/privileged-containers/lib_exclude_update.rego b/src/pod-security-policy/privileged-containers/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/privileged-containers/lib_exclude_update.rego +++ b/src/pod-security-policy/privileged-containers/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/proc-mount/lib_exclude_update.rego b/src/pod-security-policy/proc-mount/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/proc-mount/lib_exclude_update.rego +++ b/src/pod-security-policy/proc-mount/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego +++ b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/selinux/lib_exclude_update.rego b/src/pod-security-policy/selinux/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/selinux/lib_exclude_update.rego +++ b/src/pod-security-policy/selinux/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/users/lib_exclude_update.rego b/src/pod-security-policy/users/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/users/lib_exclude_update.rego +++ b/src/pod-security-policy/users/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/pod-security-policy/volumes/lib_exclude_update.rego b/src/pod-security-policy/volumes/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/pod-security-policy/volumes/lib_exclude_update.rego +++ b/src/pod-security-policy/volumes/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/src/rego/lib_exclude_update/lib_exclude_update.rego b/src/rego/lib_exclude_update/lib_exclude_update.rego index c176132fb..96433d78a 100644 --- a/src/rego/lib_exclude_update/lib_exclude_update.rego +++ b/src/rego/lib_exclude_update/lib_exclude_update.rego @@ -1,7 +1,5 @@ package lib.exclude_update -import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/allow-privilege-escalation.md b/website/docs/validation/allow-privilege-escalation.md index c98f6b0bd..765425505 100644 --- a/website/docs/validation/allow-privilege-escalation.md +++ b/website/docs/validation/allow-privilege-escalation.md @@ -87,8 +87,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/automount-serviceaccount-token.md b/website/docs/validation/automount-serviceaccount-token.md index bf2073101..9876ba1aa 100644 --- a/website/docs/validation/automount-serviceaccount-token.md +++ b/website/docs/validation/automount-serviceaccount-token.md @@ -73,8 +73,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/capabilities.md b/website/docs/validation/capabilities.md index 5d0d6d6dc..bb6d86f4d 100644 --- a/website/docs/validation/capabilities.md +++ b/website/docs/validation/capabilities.md @@ -150,8 +150,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/ephemeralstoragelimit.md b/website/docs/validation/ephemeralstoragelimit.md index f19bcbe70..83e219488 100644 --- a/website/docs/validation/ephemeralstoragelimit.md +++ b/website/docs/validation/ephemeralstoragelimit.md @@ -220,8 +220,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/flexvolume-drivers.md b/website/docs/validation/flexvolume-drivers.md index 3e6370c3a..04d28cec3 100644 --- a/website/docs/validation/flexvolume-drivers.md +++ b/website/docs/validation/flexvolume-drivers.md @@ -79,8 +79,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/forbidden-sysctls.md b/website/docs/validation/forbidden-sysctls.md index 3a6f0b2fc..1b5b4a27c 100644 --- a/website/docs/validation/forbidden-sysctls.md +++ b/website/docs/validation/forbidden-sysctls.md @@ -107,8 +107,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/fsgroup.md b/website/docs/validation/fsgroup.md index 3596757cd..6a35e43c0 100644 --- a/website/docs/validation/fsgroup.md +++ b/website/docs/validation/fsgroup.md @@ -112,8 +112,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/host-filesystem.md b/website/docs/validation/host-filesystem.md index a2b9ed0a1..cd7430a09 100644 --- a/website/docs/validation/host-filesystem.md +++ b/website/docs/validation/host-filesystem.md @@ -155,8 +155,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/host-namespaces.md b/website/docs/validation/host-namespaces.md index 43f0eeaa5..0c433062e 100644 --- a/website/docs/validation/host-namespaces.md +++ b/website/docs/validation/host-namespaces.md @@ -61,8 +61,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/host-network-ports.md b/website/docs/validation/host-network-ports.md index 4efbbb48f..373d1ab3f 100644 --- a/website/docs/validation/host-network-ports.md +++ b/website/docs/validation/host-network-ports.md @@ -105,8 +105,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/privileged-containers.md b/website/docs/validation/privileged-containers.md index 2fb244298..ef596bbde 100644 --- a/website/docs/validation/privileged-containers.md +++ b/website/docs/validation/privileged-containers.md @@ -79,8 +79,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/proc-mount.md b/website/docs/validation/proc-mount.md index 00b1373b3..e792ff25b 100644 --- a/website/docs/validation/proc-mount.md +++ b/website/docs/validation/proc-mount.md @@ -125,8 +125,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/read-only-root-filesystem.md b/website/docs/validation/read-only-root-filesystem.md index fe37dd4f4..cefd32931 100644 --- a/website/docs/validation/read-only-root-filesystem.md +++ b/website/docs/validation/read-only-root-filesystem.md @@ -90,8 +90,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/requiredprobes.md b/website/docs/validation/requiredprobes.md index 6b0852b43..4561c24f7 100644 --- a/website/docs/validation/requiredprobes.md +++ b/website/docs/validation/requiredprobes.md @@ -79,8 +79,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/selinux.md b/website/docs/validation/selinux.md index 6aba45ae6..f44f5588a 100644 --- a/website/docs/validation/selinux.md +++ b/website/docs/validation/selinux.md @@ -131,8 +131,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/users.md b/website/docs/validation/users.md index cd9d3a4ae..69d592ca8 100644 --- a/website/docs/validation/users.md +++ b/website/docs/validation/users.md @@ -279,8 +279,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } diff --git a/website/docs/validation/volumes.md b/website/docs/validation/volumes.md index d9d41be30..b2ed0f55d 100644 --- a/website/docs/validation/volumes.md +++ b/website/docs/validation/volumes.md @@ -71,8 +71,6 @@ spec: - | package lib.exclude_update - import future.keywords.in - is_update(review) { review.operation == "UPDATE" } From 248fe025d61451c4bf6680117dba7f33df07d39c Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Tue, 26 Sep 2023 09:46:55 +0900 Subject: [PATCH 10/11] Apply suggestions from code review Co-authored-by: Andrew Peabody Signed-off-by: Hidehito Yabuuchi --- library/general/ephemeralstoragelimit/suite.yaml | 2 +- library/pod-security-policy/capabilities/suite.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/general/ephemeralstoragelimit/suite.yaml b/library/general/ephemeralstoragelimit/suite.yaml index 3d58b3dab..a6b99410d 100644 --- a/library/general/ephemeralstoragelimit/suite.yaml +++ b/library/general/ephemeralstoragelimit/suite.yaml @@ -30,4 +30,4 @@ tests: - name: ephemeral-storage-limit-update object: samples/container-must-have-ephemeral-storage-limit/update.yaml assertions: - - violations: no \ No newline at end of file + - violations: no diff --git a/library/pod-security-policy/capabilities/suite.yaml b/library/pod-security-policy/capabilities/suite.yaml index 29a207c25..48c2fcb46 100644 --- a/library/pod-security-policy/capabilities/suite.yaml +++ b/library/pod-security-policy/capabilities/suite.yaml @@ -22,4 +22,4 @@ tests: - name: update object: samples/capabilities-demo/update.yaml assertions: - - violations: no \ No newline at end of file + - violations: no From 04106cfd8032ebdc473a802bd2441188c7d28ddd Mon Sep 17 00:00:00 2001 From: Hidehito Yabuuchi Date: Tue, 26 Sep 2023 09:53:50 +0900 Subject: [PATCH 11/11] make generate-all Signed-off-by: Hidehito Yabuuchi --- .../library/general/ephemeralstoragelimit/1.0.1/suite.yaml | 2 +- .../library/pod-security-policy/capabilities/1.0.1/suite.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml index 3d58b3dab..a6b99410d 100644 --- a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml +++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml @@ -30,4 +30,4 @@ tests: - name: ephemeral-storage-limit-update object: samples/container-must-have-ephemeral-storage-limit/update.yaml assertions: - - violations: no \ No newline at end of file + - violations: no diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml index 29a207c25..48c2fcb46 100644 --- a/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml +++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml @@ -22,4 +22,4 @@ tests: - name: update object: samples/capabilities-demo/update.yaml assertions: - - violations: no \ No newline at end of file + - violations: no