open-policy-agent · sozercan · Sep 4, 2024 · Jun 5, 2024 · Jun 5, 2024 · Jul 3, 2024
@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: nginx-host-filesystem
-  labels:
-    app: nginx-host-filesystem-disallowed
 spec:
   ephemeralContainers:
   - name: nginx

@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: nginx-host-filesystem
-  labels:
-    app: nginx-host-filesystem-disallowed
 spec:
   containers:
     - name: nginx

@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: nginx-host-filesystem
-  labels:
-    app: nginx-host-filesystem-disallowed
 spec:
   containers:
   - name: nginx

@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: nginx-host-filesystem
-  labels:
-    app: nginx-host-filesystem-disallowed
 spec:
   ephemeralContainers:
   - name: nginx

@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: nginx-host-filesystem
-  labels:
-    app: nginx-host-filesystem-disallowed
 spec:
   containers:
     - name: nginx

@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: nginx-host-filesystem
-  labels:
-    app: nginx-host-filesystem-disallowed
 spec:
   containers:
   - name: nginx

@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: nginx-host-filesystem
-  labels:
-    app: nginx-host-filesystem-disallowed
 spec:
   ephemeralContainers:
   - name: nginx

@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: nginx-host-filesystem
-  labels:
-    app: nginx-host-filesystem-disallowed
 spec:
   containers:
     - name: nginx

@@ -2,8 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: nginx-host-filesystem
-  labels:
-    app: nginx-host-filesystem-disallowed
 spec:
   containers:
   - name: nginx

@@ -0,0 +1,22 @@
+version: 1.1.0
+name: k8spsphostfilesystem
+displayName: Host Filesystem
+createdAt: "2024-06-05T20:31:16Z"
+description: Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+digest: 3883941aac9b7598a79c9bf6517c77a401b99d165bf584dce604a00eef79f8e7
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-filesystem
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Host Filesystem
+    Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-filesystem/1.1.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPHostFilesystem
+metadata:
+  name: psp-host-filesystem
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    allowedHostPaths:
+    - readOnly: true
+      pathPrefix: "/foo"
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-filesystem
+spec:
+  ephemeralContainers:
+  - name: nginx
+    image: nginx
+    volumeMounts:
+    - mountPath: /cache
+      name: cache-volume
+      readOnly: true
+  volumes:
+  - name: cache-volume
+    hostPath:
+      path: /tmp # directory location on host
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-filesystem
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      volumeMounts:
+        - mountPath: /cache
+          name: cache-volume
+          readOnly: true
+  volumes:
+    - name: cache-volume
+      hostPath:
+        path: /foo/bar
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-host-filesystem
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    volumeMounts:
+    - mountPath: /cache
+      name: cache-volume
+      readOnly: true
+  volumes:
+  - name: cache-volume
+    hostPath:
+      path: /tmp # directory location on host
@@ -0,0 +1,23 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+  operation: "UPDATE"
+  object:
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: nginx-host-filesystem
+      labels:
+        app: nginx-host-filesystem-disallowed
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+        volumeMounts:
+        - mountPath: /cache
+          name: cache-volume
+          readOnly: true
+      volumes:
+      - name: cache-volume
+        hostPath:
+          path: /tmp # directory location on host
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: host-filesystem
+tests:
+  - name: host-filesystem
+    template: template.yaml
+    constraint: samples/psp-host-filesystem/constraint.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-host-filesystem/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-allowed
+        object: samples/psp-host-filesystem/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: disallowed-ephemeral
+        object: samples/psp-host-filesystem/disallowed_ephemeral.yaml
+        assertions:
+          - violations: yes
+      - name: update
+        object: samples/psp-host-filesystem/update.yaml
+        assertions:
+          - violations: no