-
Notifications
You must be signed in to change notification settings - Fork 320
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: adding cel for psp-privileged-containers (#543)
Fixes #541 Signed-off-by: Jaydip Gabani <[email protected]>
- Loading branch information
1 parent
ba29c0d
commit 4ad966c
Showing
14 changed files
with
457 additions
and
110 deletions.
There are no files selected for viewing
22 changes: 22 additions & 0 deletions
22
artifacthub/library/pod-security-policy/privileged-containers/1.1.0/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
version: 1.1.0 | ||
name: k8spspprivilegedcontainer | ||
displayName: Privileged Container | ||
createdAt: "2024-06-03T23:35:27Z" | ||
description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | ||
digest: 967e9d9abf48b1686b497dd3e2f3a870b9f5b51c5ab1d837ea0ff680fbfaa7c6 | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/privileged-containers | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# Privileged Container | ||
Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/privileged-containers/1.1.0/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/pod-security-policy/privileged-containers/1.1.0/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
10 changes: 10 additions & 0 deletions
10
...urity-policy/privileged-containers/1.1.0/samples/psp-privileged-container/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sPSPPrivilegedContainer | ||
metadata: | ||
name: psp-privileged-container | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] | ||
excludedNamespaces: ["kube-system"] |
12 changes: 12 additions & 0 deletions
12
...cy/privileged-containers/1.1.0/samples/psp-privileged-container/disallowed_ephemeral.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privileged-disallowed | ||
labels: | ||
app: nginx-privileged | ||
spec: | ||
ephemeralContainers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
privileged: true |
12 changes: 12 additions & 0 deletions
12
...-policy/privileged-containers/1.1.0/samples/psp-privileged-container/example_allowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privileged-allowed | ||
labels: | ||
app: nginx-privileged | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
privileged: false |
12 changes: 12 additions & 0 deletions
12
...licy/privileged-containers/1.1.0/samples/psp-privileged-container/example_disallowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privileged-disallowed | ||
labels: | ||
app: nginx-privileged | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
privileged: true |
17 changes: 17 additions & 0 deletions
17
...-security-policy/privileged-containers/1.1.0/samples/psp-privileged-container/update.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
kind: AdmissionReview | ||
apiVersion: admission.k8s.io/v1beta1 | ||
request: | ||
operation: "UPDATE" | ||
object: | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privileged-disallowed | ||
labels: | ||
app: nginx-privileged | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
securityContext: | ||
privileged: true |
25 changes: 25 additions & 0 deletions
25
artifacthub/library/pod-security-policy/privileged-containers/1.1.0/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: privileged-containers | ||
tests: | ||
- name: privileged-containers-disallowed | ||
template: template.yaml | ||
constraint: samples/psp-privileged-container/constraint.yaml | ||
cases: | ||
- name: example-disallowed | ||
object: samples/psp-privileged-container/example_disallowed.yaml | ||
assertions: | ||
- violations: yes | ||
- name: example-allowed | ||
object: samples/psp-privileged-container/example_allowed.yaml | ||
assertions: | ||
- violations: no | ||
- name: disallowed-ephemeral | ||
object: samples/psp-privileged-container/disallowed_ephemeral.yaml | ||
assertions: | ||
- violations: yes | ||
- name: update | ||
object: samples/psp-privileged-container/update.yaml | ||
assertions: | ||
- violations: no |
126 changes: 126 additions & 0 deletions
126
artifacthub/library/pod-security-policy/privileged-containers/1.1.0/template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,126 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8spspprivilegedcontainer | ||
annotations: | ||
metadata.gatekeeper.sh/title: "Privileged Container" | ||
metadata.gatekeeper.sh/version: 1.1.0 | ||
description: >- | ||
Controls the ability of any container to enable privileged mode. | ||
Corresponds to the `privileged` field in a PodSecurityPolicy. For more | ||
information, see | ||
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sPSPPrivilegedContainer | ||
validation: | ||
openAPIV3Schema: | ||
type: object | ||
description: >- | ||
Controls the ability of any container to enable privileged mode. | ||
Corresponds to the `privileged` field in a PodSecurityPolicy. For more | ||
information, see | ||
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | ||
properties: | ||
exemptImages: | ||
description: >- | ||
Any container that uses an image that matches an entry in this list will be excluded | ||
from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. | ||
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) | ||
in order to avoid unexpectedly exempting images from an untrusted repository. | ||
type: array | ||
items: | ||
type: string | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
code: | ||
- engine: K8sNativeValidation | ||
source: | ||
variables: | ||
- name: containers | ||
expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []' | ||
- name: initContainers | ||
expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []' | ||
- name: ephemeralContainers | ||
expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []' | ||
- name: exemptImagePrefixes | ||
expression: | | ||
!has(variables.params.exemptImages) ? [] : | ||
variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", "")) | ||
- name: exemptImageExplicit | ||
expression: | | ||
!has(variables.params.exemptImages) ? [] : | ||
variables.params.exemptImages.filter(image, !image.endsWith("*")) | ||
- name: exemptImages | ||
expression: | | ||
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, | ||
container.image in variables.exemptImageExplicit || | ||
variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))) | ||
- name: badContainers | ||
expression: | | ||
(variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, | ||
!(container.image in variables.exemptImages) && | ||
(has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true) | ||
).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext) | ||
validations: | ||
- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0' | ||
messageExpression: 'variables.badContainers.join("\n")' | ||
- engine: Rego | ||
source: | ||
rego: | | ||
package k8spspprivileged | ||
import data.lib.exclude_update.is_update | ||
import data.lib.exempt_container.is_exempt | ||
violation[{"msg": msg, "details": {}}] { | ||
# spec.containers.privileged field is immutable. | ||
not is_update(input.review) | ||
c := input_containers[_] | ||
not is_exempt(c) | ||
c.securityContext.privileged | ||
msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext]) | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.containers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.initContainers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.ephemeralContainers[_] | ||
} | ||
libs: | ||
- | | ||
package lib.exclude_update | ||
is_update(review) { | ||
review.operation == "UPDATE" | ||
} | ||
- | | ||
package lib.exempt_container | ||
is_exempt(container) { | ||
exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) | ||
img := container.image | ||
exemption := exempt_images[_] | ||
_matches_exemption(img, exemption) | ||
} | ||
_matches_exemption(img, exemption) { | ||
not endswith(exemption, "*") | ||
exemption == img | ||
} | ||
_matches_exemption(img, exemption) { | ||
endswith(exemption, "*") | ||
prefix := trim_suffix(exemption, "*") | ||
startswith(img, prefix) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.