fix: use cel.expression.message instead of validate.message

Signed-off-by: Mariam Fahmy <[email protected]>
kyverno · Nov 7, 2023 · 2162ee4 · 2162ee4
1 parent fa0ab9b
commit 2162ee4
Show file tree

Hide file tree

Showing 12 changed files with 58 additions and 34 deletions.
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Restricted)"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: d142cf9eec35920d83f4ec8642b0718bbf99a3648e06dec086d511e798a6e35d
+digest: 60ad5b4ff51fd28a3411cb5bf421eefd20c8e429b20b7230a7f3540798992a98
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml
@@ -53,26 +53,30 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Any capabilities added other than NET_BIND_SERVICE are disallowed.
         cel:
           expressions:
           - expression: >- 
               object.spec.containers.all(container, !has(container.securityContext) ||
               !has(container.securityContext.capabilities) ||
               !has(container.securityContext.capabilities.add) ||
               ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE')))
+            message: >-
+              Any capabilities added other than NET_BIND_SERVICE are disallowed.
     
           - expression: >- 
               !has(object.spec.initContainers) ||
               object.spec.initContainers.all(container, !has(container.securityContext) ||
               !has(container.securityContext.capabilities) ||
               !has(container.securityContext.capabilities.add) ||
               ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE')))
+            message: >-
+              Any capabilities added other than NET_BIND_SERVICE are disallowed.
           
           - expression: >- 
               !has(object.spec.ephemeralContainers) ||
               object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
               !has(container.securityContext.capabilities) ||
               !has(container.securityContext.capabilities.add) ||
               ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE')))
+            message: >-
+              Any capabilities added other than NET_BIND_SERVICE are disallowed.
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Restricted)"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 1a2674ff3aa5516b0b416ec91bea68d748050a6d21d46bedaffd21a8f69a1df7
+digest: 5cd9385a1a04963b0d35bb97bf96df95c339ddcf50a463a6aa00aab45a1a4a9d
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml
@@ -23,28 +23,31 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Privilege escalation is disallowed. The fields
-          spec.containers[*].securityContext.allowPrivilegeEscalation,
-          spec.initContainers[*].securityContext.allowPrivilegeEscalation,
-          and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation
-          must be set to `false`.
         cel:
           expressions:
             - expression: >- 
                 object.spec.containers.all(container, has(container.securityContext) &&
                 has(container.securityContext.allowPrivilegeEscalation) &&
                 container.securityContext.allowPrivilegeEscalation == false)
+              message: >-
+                Privilege escalation is disallowed. The field
+                spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`.
 
             - expression: >- 
                 !has(object.spec.initContainers) ||
                 object.spec.initContainers.all(container, has(container.securityContext) &&
                 has(container.securityContext.allowPrivilegeEscalation) &&
                 container.securityContext.allowPrivilegeEscalation == false)
+              message: >-
+                Privilege escalation is disallowed. The field
+                spec.initContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`.
 
             - expression: >- 
                 !has(object.spec.ephemeralContainers) ||
                 object.spec.ephemeralContainers.all(container, has(container.securityContext) &&
                 has(container.securityContext.allowPrivilegeEscalation) &&
                 container.securityContext.allowPrivilegeEscalation == false)
+              message: >-
+                Privilege escalation is disallowed. The field
+                spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`.
                    
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Restricted)"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: d4bdf4d03257fff0dc438a14a0ff3df8b8f4bc02fec15c2d69c602421281811d
+digest: 00cbb639cdee5eadda13bd1716a853e4f499123790a42da00750c2b180986e5f
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml
@@ -23,31 +23,38 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Running as root is not allowed. The fields spec.securityContext.runAsUser,
-          spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser,
-          and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or
-          set to a number greater than zero.
         cel:
           expressions:
             - expression: >-
                 !has(object.spec.securityContext) ||
                 !has(object.spec.securityContext.runAsUser) ||
                 object.spec.securityContext.runAsUser > 0
+              message: >-
+                Running as root is not allowed. The field spec.securityContext.runAsUser must be unset or
+                set to a number greater than zero.
 
             - expression: >-
                 object.spec.containers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.runAsUser) ||
                 container.securityContext.runAsUser > 0)
+              message: >-
+                Running as root is not allowed. The field spec.containers[*].securityContext.runAsUser must be unset or
+                set to a number greater than zero
 
             - expression: >-
                 !has(object.spec.initContainers) ||
                 object.spec.initContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.runAsUser) ||
                 container.securityContext.runAsUser > 0)
+              message: >-
+                Running as root is not allowed. The field spec.initContainers[*].securityContext.runAsUser must be unset or
+                set to a number greater than zero
 
             - expression: >-
                 !has(object.spec.ephemeralContainers) ||
                 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.runAsUser) ||
                 container.securityContext.runAsUser > 0)
+              message: >-
+                Running as root is not allowed. The field spec.ephemeralContainers[*].securityContext.runAsUser must be unset or
+                set to a number greater than zero
diff --git a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Restricted)"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: b5e14351175bff55c6856c5d4251808b23144bf6f05be0c5a6b24439879a6913
+digest: eb0261435598813cea36c9084504a3e06bfe5b467a8b981289d3032bddee83ac
diff --git a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml
@@ -24,11 +24,6 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
-          must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
-          spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
-          must be set to `true`.
         cel:
           expressions:
             - expression: >- 
@@ -49,6 +44,11 @@ spec:
                 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.runAsNonRoot) ||
                 container.securityContext.runAsNonRoot == true))
+              message: >-
+                Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
+                must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
+                spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
+                must be set to `true`.
     
             - expression: >- 
                 has(object.spec.securityContext) || 
@@ -57,3 +57,8 @@ spec:
                 (!has(object.spec.initContainers) || object.spec.initContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot)))
                 &&
                 (!has(object.spec.ephemeralContainers) || object.spec.ephemeralContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot))))
+              message: >-
+                Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
+                must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
+                spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
+                must be set to `true`.
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Restricted)"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 4cf3da92894bc484aa353e38983fe6641b91a43d70b56fa16ce76bb22a04a7d6
+digest: f3e7aeef4cf853925df877b30910c5b1d6efc43a0b5d666b87f7f8e56b1fe358
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml
@@ -26,13 +26,6 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Use of custom Seccomp profiles is disallowed. The fields
-          spec.securityContext.seccompProfile.type,
-          spec.containers[*].securityContext.seccompProfile.type,
-          spec.initContainers[*].securityContext.seccompProfile.type, and
-          spec.ephemeralContainers[*].securityContext.seccompProfile.type
-          must be set to `RuntimeDefault` or `Localhost`.
         cel:
           expressions:
             - expression: >- 
@@ -41,13 +34,19 @@ spec:
                 !has(object.spec.securityContext.seccompProfile.type) ||
                 object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' ||
                 object.spec.securityContext.seccompProfile.type == 'Localhost'
+              message: >-
+                Use of custom Seccomp profiles is disallowed. The field
+                spec.securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
       
             - expression: >- 
                 object.spec.containers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.seccompProfile) ||
                 !has(container.securityContext.seccompProfile.type) ||
                 container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
                 container.securityContext.seccompProfile.type == 'Localhost')
+              message: >-
+                Use of custom Seccomp profiles is disallowed. The field
+                spec.containers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
               
             - expression: >- 
                 !has(object.spec.initContainers) ||
@@ -56,6 +55,9 @@ spec:
                 !has(container.securityContext.seccompProfile.type) ||
                 container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
                 container.securityContext.seccompProfile.type == 'Localhost')
+              message: >-
+                Use of custom Seccomp profiles is disallowed. The field
+                spec.initContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
 
             - expression: >- 
                 !has(object.spec.ephemeralContainers) ||
@@ -64,3 +66,6 @@ spec:
                 !has(container.securityContext.seccompProfile.type) ||
                 container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
                 container.securityContext.seccompProfile.type == 'Localhost')
+              message: >-
+                Use of custom Seccomp profiles is disallowed. The field
+                spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Restricted)"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod,Volume"
-digest: 71ffcf5c417c3c71cfe6e1a1f9a36884683b876bf6ed3f5b9201d69547526583
+digest: 69616bcd897f10ee6a6ee56e3cafa41157dec57051cfc8173636928537721677
diff --git a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml
@@ -24,9 +24,6 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Only the following types of volumes may be used: configMap, csi, downwardAPI,
-          emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.
         cel: 
           expressions:
             - expression: >- 
@@ -39,3 +36,6 @@ spec:
                 has(vol.persistentVolumeClaim) ||
                 has(vol.projected) ||
                 has(vol.secret))
+              message: >-
+                Only the following types of volumes may be used: configMap, csi, downwardAPI,
+                emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.