feat(cel): refactoring expressions

Signed-off-by: Nicolas Lamirault <[email protected]>

charts/portefaix-cel/templates/policy-C0001.yaml

@@ -56,85 +56,25 @@ spec:
       resources:
       - jobs
       - cronjobs
+  variables:
+    - name: pod_containers
+      expression: object.spec.?initContainers.orValue([]) + object.spec.?containers.orValue([])
+    - name: workload_containers
+      expression: object.spec.template.spec.?initContainers.orValue([]) + object.spec.template.spec.?containers.orValue([])
+    - name: cronjob_containers
+      expression: object.spec.?jobTemplate.spec.template.spec.initContainers.orValue([]) + object.spec.?jobTemplate.spec.template.spec.containers.orValue([])
+    - name: containers
+      expression: variables.pod_containers + variables.workload_containers + variables.cronjob_containers
   validations:
   - expression: >
-      object.kind != 'Pod' ||
-      !(
-        has(object.spec.initContainers) &&
-        object.spec.initContainers.all(container, container.image.contains(':latest'))
-      )
-    message: "Pods contains initcontainer/s image with latest tag"
+      !variables.containers.exists(container, container.image.endsWith(':latest'))
+    message: "Images should not use latest tag"
   - expression: >
-      ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) ||
-      !(
-        has(object.spec.template.spec.initContainers) &&
-        object.spec.template.spec.initContainers.all(container, container.image.contains(':latest'))
-      )
-    message: "Workload contains initcontainer/s image with latest tag"
-  - expression: >
-      object.kind != 'CronJob' ||
-      !(
-        has(object.spec.jobTemplate.spec.template.spec.initContainers) &&
-        object.spec.jobTemplate.spec.template.spec.initContainers.all(container, container.image.contains(':latest'))
-      )
-    message: "CronJob contains initcontainer/s image with latest tag"
-  - expression: >
-      object.kind != 'Pod' ||
-      (
-        object.spec.initContainers.all(container, container.image.matches("[0-9]+\\.[0-9]+\\.[0-9]$"))
-      )
-    message: "Pod contains container/s image without SemVer version"
-  - expression: >
-      ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) ||
-      (
-        object.spec.template.spec.containers.all(container, container.image.matches("[0-9]+\\.[0-9]+\\.[0-9]$"))
-      )
-    message: "Workload contains container/s image without SemVer version"
-  - expression: >
-      object.kind != 'CronJob' ||
-      (
-        object.spec.jobTemplate.spec.template.spec.containers.all(container, container.image.matches("[0-9]+\\.[0-9]+\\.[0-9]$"))
-      )
-    message: "CronJob contains container/s image without SemVer version"
-  - expression: >
-      object.kind != 'Pod' ||
-      !(
-        object.spec.containers.all(container, container.image.contains(':latest'))
-      )
-    message: "Pod contains container/s image with latest tag"
-  - expression: >
-      ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) ||
-      !(
-        object.spec.template.spec.containers.all(container, container.image.contains(':latest'))
-      )
-    message: "Workload contains container/s image with latest tag"
-  - expression: >
-      object.kind != 'CronJob' ||
-      !(
-        object.spec.jobTemplate.spec.template.spec.containers.all(container, container.image.contains(':latest'))
-      )
-    message: "CronJob contains container/s image with latest tag"
-  - expression: >
-      object.kind != 'Pod' ||
-      (
-        object.spec.containers.all(container, container.image.matches("[0-9]+\\.[0-9]+\\.[0-9]$"))
-      )
-    message: "Pod contains container/s image without SemVer version"
-  - expression: >
-      ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) ||
-      (
-        object.spec.template.spec.containers.all(container, container.image.matches("[0-9]+\\.[0-9]+\\.[0-9]$"))
-      )
-    message: "Workload contains container/s image without SemVer version"
-  - expression: >
-      object.kind != 'CronJob' ||
-      (
-        object.spec.jobTemplate.spec.template.spec.containers.all(container, container.image.matches("[0-9]+\\.[0-9]+\\.[0-9]$"))
-      )
-    message: "CronJob contains container/s image without SemVer version"
+      variables.containers.all(container, container.image.matches("[0-9]+\\.[0-9]+\\.[0-9]$"))
+    message: "Images should use semantic versioning"
   auditAnnotations:
   - key: "container-invalid-image-tag"
-    valueExpression: "'Container image must have a SemVer version and not lastest tag'"
+    valueExpression: "'Validation passed, no latest tags and all have semantic versions'"
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding

charts/portefaix-cel/templates/policy-C0002.yaml

@@ -57,25 +57,19 @@ spec:
       resources:
       - jobs
       - cronjobs
+  variables:
+    - name: pod_containers
+      expression: object.spec.?initContainers.orValue([]) + object.spec.?containers.orValue([])
+    - name: workload_containers
+      expression: object.spec.template.spec.?initContainers.orValue([]) + object.spec.template.spec.?containers.orValue([])
+    - name: cronjob_containers
+      expression: object.spec.?jobTemplate.spec.template.spec.initContainers.orValue([]) + object.spec.?jobTemplate.spec.template.spec.containers.orValue([])
+    - name: containers
+      expression: variables.pod_containers + variables.workload_containers + variables.cronjob_containers
   validations:
     - expression: >
-        object.kind != 'Pod' ||
-        (
-          object.spec.containers.all(container, has(container.livenessProbe))"
-        )
-      message: "Pods must have Liveness probe set up"
-    - expression: >
-        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) ||
-        (
-          object.spec.template.spec.containers.all(container, has(container.livenessProbe))"
-        )
-      message: "Workloads must have Liveness probe set up"
-    - expression: >
-        object.kind != 'CronJob' || 
-        (
-          object.spec.jobTemplate.spec.template.spec.containers.all(container, has(container.livenessProbe))"
-        )
-      message: "CronJob must have Liveness probe set up"
+        variables.containers.all(container, has(container.livenessProbe))"
+      message: "Container must have Liveness probe set up"
   auditAnnotations:
   - key: "container-liveness-probe"
     valueExpression: "'Liveness probe is required'"

charts/portefaix-cel/templates/policy-C0003.yaml

@@ -57,25 +57,19 @@ spec:
       resources:
       - jobs
       - cronjobs
+  variables:
+    - name: pod_containers
+      expression: object.spec.?initContainers.orValue([]) + object.spec.?containers.orValue([])
+    - name: workload_containers
+      expression: object.spec.template.spec.?initContainers.orValue([]) + object.spec.template.spec.?containers.orValue([])
+    - name: cronjob_containers
+      expression: object.spec.?jobTemplate.spec.template.spec.initContainers.orValue([]) + object.spec.?jobTemplate.spec.template.spec.containers.orValue([])
+    - name: containers
+      expression: variables.pod_containers + variables.workload_containers + variables.cronjob_containers
   validations:
-  - expression: >
-      object.kind != 'Pod' ||
-      (
-        object.spec.containers.all(container, has(container.readinessProbe))"
-      )
-    message: "Pods must have Readiness probe set up"
-  - expression: >
-      ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) ||
-      (
-        object.spec.template.spec.containers.all(container, has(container.readinessProbe))"
-      )
-    message: "Workloads must have Readiness probe set up"
-  - expression: >
-      object.kind != 'CronJob' || 
-      (
-        object.spec.jobTemplate.spec.template.spec.containers.all(container, has(container.readinessProbe))"
-      )
-    message: "CronJob must have Readiness probe set up"
+    - expression: >
+        variables.containers.all(container, has(container.readinessProbe))"
+      message: "Container must have Readiness probe set up"
   auditAnnotations:
   - key: "container-readiness-probe"
     valueExpression: "'Readiness probe is required'"

charts/portefaix-cel/templates/policy-C0008.yaml

@@ -57,43 +57,26 @@ spec:
       resources:
       - jobs
       - cronjobs
+  variables:
+    - name: pod_containers
+      expression: object.spec.?initContainers.orValue([]) + object.spec.?containers.orValue([])
+    - name: workload_containers
+      expression: object.spec.template.spec.?initContainers.orValue([]) + object.spec.template.spec.?containers.orValue([])
+    - name: cronjob_containers
+      expression: object.spec.?jobTemplate.spec.template.spec.initContainers.orValue([]) + object.spec.?jobTemplate.spec.template.spec.containers.orValue([])
+    - name: containers
+      expression: variables.pod_containers + variables.workload_containers + variables.cronjob_containers
   validations:
     - expression: >
-        object.kind != 'Pod' ||
-        (
-          object.spec.containers.all(container,
-            has(container.resources) &&
-            has(container.resources.requests) &&
-            has(container.resources.requests.cpu) &&
-            has(container.resources.requests.memory) &&
-            has(container.resources.limits) &&
-            has(container.resources.limits.memory))
+        variables.containers.all(container,
+          has(container.resources) &&
+          has(container.resources.requests) &&
+          has(container.resources.requests.cpu) &&
+          has(container.resources.requests.memory) &&
+          has(container.resources.limits) &&
+          has(container.resources.limits.memory))
         )
-      message: "Pods contains container/s with cpu limit or request not set"
-    - expression: >
-        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) ||
-        (
-          object.spec.template.spec.containers.all(container,
-            has(container.resources) &&
-            has(container.resources.requests) &&
-            has(container.resources.requests.cpu) &&
-            has(container.resources.requests.memory) &&
-            has(container.resources.limits) &&
-            has(container.resources.limits.memory))
-        )
-      message: "Workload contains container/s with cpu limit or request not set"
-    - expression: >
-        object.kind != 'CronJob' ||
-        (
-          object.spec.jobTemplate.spec.containers.all(container,
-            has(container.resources) &&
-            has(container.resources.requests) &&
-            has(container.resources.requests.cpu) &&
-            has(container.resources.requests.memory) &&
-            has(container.resources.limits) &&
-            has(container.resources.limits.memory))
-        )
-      message: "Cronjob contains container/s with cpu limit or request not set"
+      message: "Container(s) with cpu limit or request not set"
   auditAnnotations:
   - key: "container-resources-requests-limits"
     valueExpression: "CPU and Memory resource requests and limits are required"