Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exclude UPDATE operations in constraints for immutable fields #348

Merged
merged 26 commits into from
Sep 26, 2023
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
7db1c86
Add Rego library for excluding UPDATE and PATCH operations
ordovicia May 23, 2023
35708e3
Exclude UPDATE and PATCH operations in constraints for immutable fields
ordovicia May 23, 2023
303b237
make generate-all
ordovicia May 23, 2023
6e581be
Merge branch 'master' into exclude-update
ordovicia Jul 25, 2023
87ffd13
Merge branch 'master' into exclude-update
apeabody Jul 26, 2023
9ba8593
Exclude `UPDATE` operation only
ordovicia Aug 1, 2023
6ebefc4
make generate-all
ordovicia Aug 1, 2023
44bb171
Add tests for constraint templates
ordovicia Aug 1, 2023
78b4bce
Merge remote-tracking branch 'upstream/master' into exclude-update
ordovicia Aug 1, 2023
8f15c36
Add tests for constraints
ordovicia Aug 2, 2023
b2401a1
make generate-all
ordovicia Aug 2, 2023
694ab0d
Merge branch 'master' into exclude-update
ordovicia Aug 2, 2023
136665f
Merge branch 'master' into exclude-update
ordovicia Aug 14, 2023
809e370
Merge branch 'master' into exclude-update
apeabody Aug 15, 2023
14d0710
Merge branch 'master' into exclude-update
ordovicia Aug 22, 2023
6335c27
Merge branch 'master' into exclude-update
apeabody Aug 22, 2023
584c3dd
Merge branch 'master' into exclude-update
ordovicia Aug 29, 2023
49ba2d4
Merge branch 'master' into exclude-update
ordovicia Aug 31, 2023
a4af3c9
Merge branch 'master' into exclude-update
ordovicia Sep 11, 2023
fca128c
Merge branch 'master' into exclude-update
ordovicia Sep 12, 2023
38fb834
Remove unnecessary future.keywords.in import
ordovicia Sep 13, 2023
e581373
Merge branch 'master' into exclude-update
apeabody Sep 13, 2023
e7edb19
Merge branch 'master' into exclude-update
ordovicia Sep 19, 2023
4d00e91
Merge branch 'master' into exclude-update
apeabody Sep 25, 2023
248fe02
Apply suggestions from code review
ordovicia Sep 26, 2023
04106cf
make generate-all
ordovicia Sep 26, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: 1.0.1
name: k8spspautomountserviceaccounttokenpod
displayName: Automount Service Account Token for Pod
createdAt: "2023-05-23T09:47:24Z"
description: Controls the ability of any Pod to enable automountServiceAccountToken.
digest: 703ebbf0f93e4ccc2dd0a5a28f8f944285fe3581848d34f40573e9129ade5f50
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/automount-serviceaccount-token
keywords:
- gatekeeper
- open-policy-agent
- policies
readme: |-
# Automount Service Account Token for Pod
Controls the ability of any Pod to enable automountServiceAccountToken.
install: |-
### Usage
```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml
```
provider:
name: Gatekeeper Library
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: psp-automount-serviceaccount-token-pod
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
excludedNamespaces: ["kube-system"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-automountserviceaccounttoken-allowed
labels:
app: nginx-not-automountserviceaccounttoken
spec:
automountServiceAccountToken: false
containers:
- name: nginx
image: nginx
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-automountserviceaccounttoken-disallowed
labels:
app: nginx-automountserviceaccounttoken
spec:
automountServiceAccountToken: true
containers:
- name: nginx
image: nginx
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
name: automount-serviceaccount-token
tests:
- name: automount-serviceaccount-token
template: template.yaml
constraint: samples/automount-serviceaccount-token/constraint.yaml
cases:
- name: example-allowed
object: samples/automount-serviceaccount-token/example_allowed.yaml
assertions:
- violations: no
- name: example-disallowed
object: samples/automount-serviceaccount-token/example_disallowed.yaml
assertions:
- violations: yes
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8spspautomountserviceaccounttokenpod
annotations:
metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod"
metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the ability of any Pod to enable automountServiceAccountToken.
spec:
crd:
spec:
names:
kind: K8sPSPAutomountServiceAccountTokenPod
validation:
openAPIV3Schema:
type: object
description: >-
Controls the ability of any Pod to enable automountServiceAccountToken.
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sautomountserviceaccounttoken

import data.lib.exclude_update_patch.is_update_or_patch

violation[{"msg": msg}] {
# spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable.
not is_update_or_patch(input.review)

obj := input.review.object
mountServiceAccountToken(obj.spec)
msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name])
}

mountServiceAccountToken(spec) {
spec.automountServiceAccountToken == true
}

# if there is no automountServiceAccountToken spec, check on volumeMount in containers. Service Account token is mounted on /var/run/secrets/kubernetes.io/serviceaccount
# https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller
mountServiceAccountToken(spec) {
not has_key(spec, "automountServiceAccountToken")
"/var/run/secrets/kubernetes.io/serviceaccount" == input_containers[_].volumeMounts[_].mountPath
}

input_containers[c] {
c := input.review.object.spec.containers[_]
}

input_containers[c] {
c := input.review.object.spec.initContainers[_]
}

# Ephemeral containers not checked as it is not possible to set field.

has_key(x, k) {
_ = x[k]
}
libs:
- |
package lib.exclude_update_patch

import future.keywords.in

is_update_or_patch(review) {
review.operation in ["UPDATE", "PATCH"]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
version: 1.0.1
name: k8scontainerephemeralstoragelimit
displayName: Container ephemeral storage limit
createdAt: "2023-05-23T09:47:27Z"
description: |-
Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
digest: 3831d46393ad418fa151a3c5996c89145f65adf270f324da59c6fb8e72ab7724
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/ephemeralstoragelimit
keywords:
- gatekeeper
- open-policy-agent
- policies
readme: |-
# Container ephemeral storage limit
Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
install: |-
### Usage
```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml
```
provider:
name: Gatekeeper Library
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
name: container-ephemeral-storage-limit
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
ephemeral-storage: "500Mi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
initContainers:
- name: init-opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
ephemeral-storage: "100Mi"


containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
ephemeral-storage: "100Mi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"

ephemeral-storage: "100Mi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
labels:
owner: me.agilebank.demo
spec:
initContainers:
- name: init-opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
ephemeral-storage: "1Pi"
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
ephemeral-storage: "100Mi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"

ephemeral-storage: "1Pi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "2Gi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
name: ephemeral-storage-limit
tests:
- name: ephemeral-storage-limit
template: template.yaml
constraint: samples/container-must-have-ephemeral-storage-limit/constraint.yaml
cases:
- name: ephemeral-storage-limit-100Mi
object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml
assertions:
- violations: no
- name: ephemeral-storage-limit-initContainer-100Mi
object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml
assertions:
- violations: no
- name: ephemeral-storage-limit-unspecified
object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml
assertions:
- violations: yes
- name: ephemeral-storage-limit-1Pi
object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml
assertions:
- violations: yes
- name: ephemeral-storage-limit-initContainer-1Pi
object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
assertions:
- violations: yes
Loading