From 2162ee41f1186a36c830fe827c926471cd1ac155 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Tue, 7 Nov 2023 14:05:34 +0200 Subject: [PATCH] fix: use cel.expression.message instead of validate.message Signed-off-by: Mariam Fahmy --- .../artifacthub-pkg.yml | 2 +- .../disallow-capabilities-strict.yaml | 8 ++++++-- .../artifacthub-pkg.yml | 2 +- .../disallow-privilege-escalation.yaml | 15 +++++++++------ .../artifacthub-pkg.yml | 2 +- .../require-run-as-non-root-user.yaml | 17 ++++++++++++----- .../artifacthub-pkg.yml | 2 +- .../require-run-as-nonroot.yaml | 15 ++++++++++----- .../artifacthub-pkg.yml | 2 +- .../restrict-seccomp-strict.yaml | 19 ++++++++++++------- .../restrict-volume-types/artifacthub-pkg.yml | 2 +- .../restrict-volume-types.yaml | 6 +++--- 12 files changed, 58 insertions(+), 34 deletions(-) diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml index 570193093..d08ffc212 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: d142cf9eec35920d83f4ec8642b0718bbf99a3648e06dec086d511e798a6e35d +digest: 60ad5b4ff51fd28a3411cb5bf421eefd20c8e429b20b7230a7f3540798992a98 diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml index 279605f7d..95bf96b0d 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -53,8 +53,6 @@ spec: kinds: - Pod validate: - message: >- - Any capabilities added other than NET_BIND_SERVICE are disallowed. cel: expressions: - expression: >- @@ -62,6 +60,8 @@ spec: !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) || ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. - expression: >- !has(object.spec.initContainers) || @@ -69,6 +69,8 @@ spec: !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) || ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. - expression: >- !has(object.spec.ephemeralContainers) || @@ -76,3 +78,5 @@ spec: !has(container.securityContext.capabilities) || !has(container.securityContext.capabilities.add) || ((size(container.securityContext.capabilities.add) == 1) && (container.securityContext.capabilities.add[0] == 'NET_BIND_SERVICE'))) + message: >- + Any capabilities added other than NET_BIND_SERVICE are disallowed. diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index 7e17fc43b..2162df5d0 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 1a2674ff3aa5516b0b416ec91bea68d748050a6d21d46bedaffd21a8f69a1df7 +digest: 5cd9385a1a04963b0d35bb97bf96df95c339ddcf50a463a6aa00aab45a1a4a9d diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml index cf6001d89..c2fe5ceb9 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -23,28 +23,31 @@ spec: kinds: - Pod validate: - message: >- - Privilege escalation is disallowed. The fields - spec.containers[*].securityContext.allowPrivilegeEscalation, - spec.initContainers[*].securityContext.allowPrivilegeEscalation, - and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation - must be set to `false`. cel: expressions: - expression: >- object.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation == false) + message: >- + Privilege escalation is disallowed. The field + spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`. - expression: >- !has(object.spec.initContainers) || object.spec.initContainers.all(container, has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation == false) + message: >- + Privilege escalation is disallowed. The field + spec.initContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`. - expression: >- !has(object.spec.ephemeralContainers) || object.spec.ephemeralContainers.all(container, has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation == false) + message: >- + Privilege escalation is disallowed. The field + spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`. \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml index 13eed5cf0..984a8f285 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: d4bdf4d03257fff0dc438a14a0ff3df8b8f4bc02fec15c2d69c602421281811d +digest: 00cbb639cdee5eadda13bd1716a853e4f499123790a42da00750c2b180986e5f diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml index 02500dcd7..04fc0d972 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -23,31 +23,38 @@ spec: kinds: - Pod validate: - message: >- - Running as root is not allowed. The fields spec.securityContext.runAsUser, - spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, - and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or - set to a number greater than zero. cel: expressions: - expression: >- !has(object.spec.securityContext) || !has(object.spec.securityContext.runAsUser) || object.spec.securityContext.runAsUser > 0 + message: >- + Running as root is not allowed. The field spec.securityContext.runAsUser must be unset or + set to a number greater than zero. - expression: >- object.spec.containers.all(container, !has(container.securityContext) || !has(container.securityContext.runAsUser) || container.securityContext.runAsUser > 0) + message: >- + Running as root is not allowed. The field spec.containers[*].securityContext.runAsUser must be unset or + set to a number greater than zero - expression: >- !has(object.spec.initContainers) || object.spec.initContainers.all(container, !has(container.securityContext) || !has(container.securityContext.runAsUser) || container.securityContext.runAsUser > 0) + message: >- + Running as root is not allowed. The field spec.initContainers[*].securityContext.runAsUser must be unset or + set to a number greater than zero - expression: >- !has(object.spec.ephemeralContainers) || object.spec.ephemeralContainers.all(container, !has(container.securityContext) || !has(container.securityContext.runAsUser) || container.securityContext.runAsUser > 0) + message: >- + Running as root is not allowed. The field spec.ephemeralContainers[*].securityContext.runAsUser must be unset or + set to a number greater than zero diff --git a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml index 375147dcb..72e568880 100644 --- a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: b5e14351175bff55c6856c5d4251808b23144bf6f05be0c5a6b24439879a6913 +digest: eb0261435598813cea36c9084504a3e06bfe5b467a8b981289d3032bddee83ac diff --git a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml index c7c38a801..f91a3fda0 100644 --- a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml +++ b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml @@ -24,11 +24,6 @@ spec: kinds: - Pod validate: - message: >- - Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot - must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, - spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot - must be set to `true`. cel: expressions: - expression: >- @@ -49,6 +44,11 @@ spec: object.spec.ephemeralContainers.all(container, !has(container.securityContext) || !has(container.securityContext.runAsNonRoot) || container.securityContext.runAsNonRoot == true)) + message: >- + Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot + must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, + spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot + must be set to `true`. - expression: >- has(object.spec.securityContext) || @@ -57,3 +57,8 @@ spec: (!has(object.spec.initContainers) || object.spec.initContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot))) && (!has(object.spec.ephemeralContainers) || object.spec.ephemeralContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsNonRoot)))) + message: >- + Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot + must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, + spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot + must be set to `true`. diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml index c8140bd0d..c2cb3bbe6 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 4cf3da92894bc484aa353e38983fe6641b91a43d70b56fa16ce76bb22a04a7d6 +digest: f3e7aeef4cf853925df877b30910c5b1d6efc43a0b5d666b87f7f8e56b1fe358 diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml index 9a0293db0..ba5d790ba 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -26,13 +26,6 @@ spec: kinds: - Pod validate: - message: >- - Use of custom Seccomp profiles is disallowed. The fields - spec.securityContext.seccompProfile.type, - spec.containers[*].securityContext.seccompProfile.type, - spec.initContainers[*].securityContext.seccompProfile.type, and - spec.ephemeralContainers[*].securityContext.seccompProfile.type - must be set to `RuntimeDefault` or `Localhost`. cel: expressions: - expression: >- @@ -41,6 +34,9 @@ spec: !has(object.spec.securityContext.seccompProfile.type) || object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' || object.spec.securityContext.seccompProfile.type == 'Localhost' + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. - expression: >- object.spec.containers.all(container, !has(container.securityContext) || @@ -48,6 +44,9 @@ spec: !has(container.securityContext.seccompProfile.type) || container.securityContext.seccompProfile.type == 'RuntimeDefault' || container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.containers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. - expression: >- !has(object.spec.initContainers) || @@ -56,6 +55,9 @@ spec: !has(container.securityContext.seccompProfile.type) || container.securityContext.seccompProfile.type == 'RuntimeDefault' || container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.initContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. - expression: >- !has(object.spec.ephemeralContainers) || @@ -64,3 +66,6 @@ spec: !has(container.securityContext.seccompProfile.type) || container.securityContext.seccompProfile.type == 'RuntimeDefault' || container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`. diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml index 0dd35d251..3153372d3 100644 --- a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" -digest: 71ffcf5c417c3c71cfe6e1a1f9a36884683b876bf6ed3f5b9201d69547526583 +digest: 69616bcd897f10ee6a6ee56e3cafa41157dec57051cfc8173636928537721677 diff --git a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml index a7e1c645a..9fb95fb57 100644 --- a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -24,9 +24,6 @@ spec: kinds: - Pod validate: - message: >- - Only the following types of volumes may be used: configMap, csi, downwardAPI, - emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. cel: expressions: - expression: >- @@ -39,3 +36,6 @@ spec: has(vol.persistentVolumeClaim) || has(vol.projected) || has(vol.secret)) + message: >- + Only the following types of volumes may be used: configMap, csi, downwardAPI, + emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.