Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: adding psp-users CEL policy #537

Open
wants to merge 19 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: 1.1.0
name: k8spspallowedusers
displayName: Allowed Users
createdAt: "2024-05-30T00:06:50Z"
description: Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
digest: 4598260368425717a058b766c4f93f6b197e6ad817771cff1b82ffce8962eee1
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/users
keywords:
- gatekeeper
- open-policy-agent
- policies
readme: |-
# Allowed Users
Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
install: |-
### Usage
```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/users/1.1.0/template.yaml
```
provider:
name: Gatekeeper Library
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
exemptImages:
- nginx-exempt
runAsUser:
rule: MustRunAs # MustRunAsNonRoot # RunAsAny
ranges:
- min: 100
max: 200
runAsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
supplementalGroups:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
fsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-users-disallowed
labels:
app: nginx-users
spec:
securityContext:
supplementalGroups:
- 250
fsGroup: 250
ephemeralContainers:
- name: nginx
image: nginx
securityContext:
runAsUser: 250
runAsGroup: 250
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-users-allowed
labels:
app: nginx-users
spec:
securityContext:
supplementalGroups:
- 199
fsGroup: 199
containers:
- name: nginx
image: nginx
securityContext:
runAsUser: 199
runAsGroup: 199
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-users-allowed
labels:
app: nginx-users
spec:
containers:
- name: nginx
image: nginx-exempt
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-users-disallowed
labels:
app: nginx-users
spec:
securityContext:
supplementalGroups:
- 250
fsGroup: 250
containers:
- name: nginx
image: nginx
securityContext:
runAsUser: 250
runAsGroup: 250
initContainers:
- name: init-nginx
image: nginx
securityContext:
runAsUser: 250
runAsGroup: 250
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
kind: AdmissionReview
apiVersion: admission.k8s.io/v1beta1
request:
operation: "UPDATE"
object:
apiVersion: v1
kind: Pod
metadata:
name: nginx-users-disallowed
labels:
app: nginx-users
spec:
securityContext:
supplementalGroups:
- 250
fsGroup: 250
containers:
- name: nginx
image: nginx
securityContext:
runAsUser: 250
runAsGroup: 250
29 changes: 29 additions & 0 deletions artifacthub/library/pod-security-policy/users/1.1.0/suite.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
name: users
tests:
- name: users-and-groups-together
template: template.yaml
constraint: samples/psp-pods-allowed-user-ranges/constraint.yaml
cases:
- name: example-disallowed
object: samples/psp-pods-allowed-user-ranges/example_disallowed.yaml
assertions:
- violations: yes
- name: example-allowed
object: samples/psp-pods-allowed-user-ranges/example_allowed.yaml
assertions:
- violations: no
- name: disallowed-ephemeral
object: samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml
assertions:
- violations: yes
- name: example-allowed-exempt-image
object: samples/psp-pods-allowed-user-ranges/example_allowed_exempt_image.yaml
assertions:
- violations: no
- name: update
object: samples/psp-pods-allowed-user-ranges/update.yaml
assertions:
- violations: no
Loading
Loading