convert disallow-helm-tiller to cel

Signed-off-by: Chandan-DK <[email protected]>
kyverno · Mar 8, 2024 · 2908df9 · 2908df9
1 parent c0b203a
commit 2908df9
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 16 deletions.
diff --git a/best-practices-cel/disallow-helm-tiller/artifacthub-pkg.yml b/best-practices-cel/disallow-helm-tiller/artifacthub-pkg.yml
@@ -1,21 +1,23 @@
-name: disallow-helm-tiller
+name: disallow-helm-tiller-cel
 version: 1.0.0
-displayName: Disallow Helm Tiller
-createdAt: "2023-04-10T19:47:15.000Z"
+displayName: Disallow Helm Tiller in CEL expressions
 description: >-
   Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.
 install: |-
   ```shell
-  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml
   ```
 keywords:
   - kyverno
   - Sample
+  - CEL Expressions
 readme: |
   Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.
   
   Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
 annotations:
-  kyverno/category: "Sample"
+  kyverno/category: "Sample in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 6de64a4a8d611c250dc0190b28b6c757db531063161531e4f68202c0fbda5be4
+digest: 68bd8e1cf068759dc436032f3bcb1204992b84ba33498ffd76b744329976769e
+createdAt: "2024-03-08T06:30:37Z"
diff --git a/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml
@@ -3,9 +3,10 @@ kind: ClusterPolicy
 metadata:
   name: disallow-helm-tiller
   annotations:
-    policies.kyverno.io/title: Disallow Helm Tiller
-    policies.kyverno.io/category: Sample
-    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/title: Disallow Helm Tiller in CEL expressions
+    policies.kyverno.io/category: Sample in CEL 
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
@@ -15,7 +16,7 @@ metadata:
       Tiller for these reasons. This policy validates that there is not an image
       containing the name `tiller`.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: validate-helm-tiller
@@ -25,9 +26,8 @@ spec:
             kinds:
               - Pod
       validate:
-        message: "Helm Tiller is not allowed"
-        pattern:
-          spec:
-            containers:
-              - name: "*"
-                image: "!*tiller*"
+        cel:
+          expressions:
+            - expression: "object.spec.containers.all(container, !container.image.contains('tiller'))"
+              message: "Helm Tiller is not allowed"
+