Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exclude UPDATE operations in constraints for immutable fields #348

Merged
merged 26 commits into from
Sep 26, 2023
Merged
Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
7db1c86
Add Rego library for excluding UPDATE and PATCH operations
ordovicia May 23, 2023
35708e3
Exclude UPDATE and PATCH operations in constraints for immutable fields
ordovicia May 23, 2023
303b237
make generate-all
ordovicia May 23, 2023
6e581be
Merge branch 'master' into exclude-update
ordovicia Jul 25, 2023
87ffd13
Merge branch 'master' into exclude-update
apeabody Jul 26, 2023
9ba8593
Exclude `UPDATE` operation only
ordovicia Aug 1, 2023
6ebefc4
make generate-all
ordovicia Aug 1, 2023
44bb171
Add tests for constraint templates
ordovicia Aug 1, 2023
78b4bce
Merge remote-tracking branch 'upstream/master' into exclude-update
ordovicia Aug 1, 2023
8f15c36
Add tests for constraints
ordovicia Aug 2, 2023
b2401a1
make generate-all
ordovicia Aug 2, 2023
694ab0d
Merge branch 'master' into exclude-update
ordovicia Aug 2, 2023
136665f
Merge branch 'master' into exclude-update
ordovicia Aug 14, 2023
809e370
Merge branch 'master' into exclude-update
apeabody Aug 15, 2023
14d0710
Merge branch 'master' into exclude-update
ordovicia Aug 22, 2023
6335c27
Merge branch 'master' into exclude-update
apeabody Aug 22, 2023
584c3dd
Merge branch 'master' into exclude-update
ordovicia Aug 29, 2023
49ba2d4
Merge branch 'master' into exclude-update
ordovicia Aug 31, 2023
a4af3c9
Merge branch 'master' into exclude-update
ordovicia Sep 11, 2023
fca128c
Merge branch 'master' into exclude-update
ordovicia Sep 12, 2023
38fb834
Remove unnecessary future.keywords.in import
ordovicia Sep 13, 2023
e581373
Merge branch 'master' into exclude-update
apeabody Sep 13, 2023
e7edb19
Merge branch 'master' into exclude-update
ordovicia Sep 19, 2023
4d00e91
Merge branch 'master' into exclude-update
apeabody Sep 25, 2023
248fe02
Apply suggestions from code review
ordovicia Sep 26, 2023
04106cf
make generate-all
ordovicia Sep 26, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: 1.0.1
name: k8spspautomountserviceaccounttokenpod
displayName: Automount Service Account Token for Pod
createdAt: "2023-05-23T09:47:24Z"
description: Controls the ability of any Pod to enable automountServiceAccountToken.
digest: 8b62e4b2324e9e60a66008e6edcc327bcd2b531d3a905f10bf25a1671079ce6e
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/automount-serviceaccount-token
keywords:
- gatekeeper
- open-policy-agent
- policies
readme: |-
# Automount Service Account Token for Pod
Controls the ability of any Pod to enable automountServiceAccountToken.
install: |-
### Usage
```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml
```
provider:
name: Gatekeeper Library
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: psp-automount-serviceaccount-token-pod
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
excludedNamespaces: ["kube-system"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-automountserviceaccounttoken-allowed
labels:
app: nginx-not-automountserviceaccounttoken
spec:
automountServiceAccountToken: false
containers:
- name: nginx
image: nginx
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-automountserviceaccounttoken-disallowed
labels:
app: nginx-automountserviceaccounttoken
spec:
automountServiceAccountToken: true
containers:
- name: nginx
image: nginx
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
kind: AdmissionReview
apiVersion: admission.k8s.io/v1beta1
request:
operation: "UPDATE"
object:
apiVersion: v1
kind: Pod
metadata:
name: nginx-automountserviceaccounttoken-update
labels:
app: nginx-automountserviceaccounttoken
spec:
automountServiceAccountToken: true
containers:
- name: nginx
image: nginx
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
name: automount-serviceaccount-token
tests:
- name: automount-serviceaccount-token
template: template.yaml
constraint: samples/automount-serviceaccount-token/constraint.yaml
cases:
- name: example-allowed
object: samples/automount-serviceaccount-token/example_allowed.yaml
assertions:
- violations: no
- name: example-disallowed
object: samples/automount-serviceaccount-token/example_disallowed.yaml
assertions:
- violations: yes
- name: update
object: samples/automount-serviceaccount-token/update.yaml
assertions:
- violations: no
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8spspautomountserviceaccounttokenpod
annotations:
metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod"
metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the ability of any Pod to enable automountServiceAccountToken.
spec:
crd:
spec:
names:
kind: K8sPSPAutomountServiceAccountTokenPod
validation:
openAPIV3Schema:
type: object
description: >-
Controls the ability of any Pod to enable automountServiceAccountToken.
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sautomountserviceaccounttoken

import data.lib.exclude_update.is_update

violation[{"msg": msg}] {
# spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable.
not is_update(input.review)

obj := input.review.object
mountServiceAccountToken(obj.spec)
msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name])
}

mountServiceAccountToken(spec) {
spec.automountServiceAccountToken == true
}

# if there is no automountServiceAccountToken spec, check on volumeMount in containers. Service Account token is mounted on /var/run/secrets/kubernetes.io/serviceaccount
# https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller
mountServiceAccountToken(spec) {
not has_key(spec, "automountServiceAccountToken")
"/var/run/secrets/kubernetes.io/serviceaccount" == input_containers[_].volumeMounts[_].mountPath
}

input_containers[c] {
c := input.review.object.spec.containers[_]
}

input_containers[c] {
c := input.review.object.spec.initContainers[_]
}

# Ephemeral containers not checked as it is not possible to set field.

has_key(x, k) {
_ = x[k]
}
libs:
- |
package lib.exclude_update

is_update(review) {
review.operation == "UPDATE"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
version: 1.0.1
name: k8scontainerephemeralstoragelimit
displayName: Container ephemeral storage limit
createdAt: "2023-05-23T09:47:27Z"
description: |-
Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
digest: 84077f1dbcdcab9a7c20710e82299995e44294fccdb1a5b9de63fb5a5032a6d8
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/ephemeralstoragelimit
keywords:
- gatekeeper
- open-policy-agent
- policies
readme: |-
# Container ephemeral storage limit
Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
install: |-
### Usage
```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml
```
provider:
name: Gatekeeper Library
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
name: container-ephemeral-storage-limit
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
ephemeral-storage: "500Mi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
initContainers:
- name: init-opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
ephemeral-storage: "100Mi"


containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
ephemeral-storage: "100Mi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"

ephemeral-storage: "100Mi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
labels:
owner: me.agilebank.demo
spec:
initContainers:
- name: init-opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
ephemeral-storage: "1Pi"
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
ephemeral-storage: "100Mi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"

ephemeral-storage: "1Pi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "2Gi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
kind: AdmissionReview
apiVersion: admission.k8s.io/v1beta1
request:
operation: "UPDATE"
object:
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
ephemeral-storage: "1Pi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
name: ephemeral-storage-limit
tests:
- name: ephemeral-storage-limit
template: template.yaml
constraint: samples/container-must-have-ephemeral-storage-limit/constraint.yaml
cases:
- name: ephemeral-storage-limit-100Mi
object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml
assertions:
- violations: no
- name: ephemeral-storage-limit-initContainer-100Mi
object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml
assertions:
- violations: no
- name: ephemeral-storage-limit-unspecified
object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml
assertions:
- violations: yes
- name: ephemeral-storage-limit-1Pi
object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml
assertions:
- violations: yes
- name: ephemeral-storage-limit-initContainer-1Pi
object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
assertions:
- violations: yes
- name: ephemeral-storage-limit-update
object: samples/container-must-have-ephemeral-storage-limit/update.yaml
assertions:
- violations: no
Loading