Skip to content

Commit

Permalink
Merge branch 'main' into simplify-cel-host-ports
Browse files Browse the repository at this point in the history
  • Loading branch information
@JimBugwadia
JimBugwadia authored Aug 26, 2024
2 parents 31c9844 + 6a8795c commit a50b82a
Show file tree
Hide file tree
Showing 18 changed files with 87 additions and 231 deletions.
4 changes: 2 additions & 2 deletions pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: e5f9cbb8246d36347c0fe62768e6b62b6b323efb7dd1ac60bc8c220e641220fb
createdAt: "2023-12-03T00:22:33Z"
digest: 581bbe2061d08871889e18bc5a6f58102da467d4fa164084970d96ab2ef3c202
createdAt: "2024-08-21T00:22:33Z"
38 changes: 8 additions & 30 deletions pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,38 +26,16 @@ spec:
- UPDATE
validate:
cel:
variables:
- name: allowedCapabilities
expression: "['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT']"
- name: allContainers
expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
expressions:
- expression: >-
object.spec.containers.all(container,
!has(container.securityContext) ||
!has(container.securityContext.capabilities) ||
!has(container.securityContext.capabilities.add) ||
container.securityContext.capabilities.add.all(capability,
['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
are disallowed.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.capabilities) ||
!has(container.securityContext.capabilities.add) ||
container.securityContext.capabilities.add.all(capability,
['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
are disallowed.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.capabilities) ||
!has(container.securityContext.capabilities.add) ||
container.securityContext.capabilities.add.all(capability,
['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
variables.allContainers.all(container,
container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability == '' ||
capability in variables.allowedCapabilities))
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
Expand Down
4 changes: 2 additions & 2 deletions pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: c57ee3440401887541c2d97727fc268d5cd9eb47faf00bea2f0ca738caffe483
createdAt: "2023-12-03T00:22:34Z"
digest: 52a739e283afddd9c023a5d0b0d8822008a2923f7c0b5544a43cb76540c2c1f9
createdAt: "2024-08-21T00:22:34Z"
6 changes: 3 additions & 3 deletions pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,9 @@ spec:
cel:
expressions:
- expression: >-
(!has(object.spec.hostNetwork) || object.spec.hostNetwork == false) &&
(!has(object.spec.hostIPC) || object.spec.hostIPC == false) &&
(!has(object.spec.hostPID) || object.spec.hostPID == false)
( object.spec.?hostNetwork.orValue(false) == false) &&
( object.spec.?hostIPC.orValue(false) == false) &&
( object.spec.?hostPID.orValue(false) == false)
message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
4 changes: 2 additions & 2 deletions pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline)"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod,Volume"
digest: 7a78c73a64e61e91876d3ee30c99e1b39774ec885e881f4ffa0be11713710031
createdAt: "2023-12-03T00:22:34Z"
digest: e03e92172513193882011b17c9bf4d66af1637a280c0cd6d696db580eea06558
createdAt: "2024-08-21T00:22:34Z"
2 changes: 1 addition & 1 deletion pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,5 @@ spec:
validate:
cel:
expressions:
- expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
- expression: "object.spec.?volumes.orValue([]).all(volume, size(volume) == 0 || !has(volume.hostPath))"
message: "HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset"
4 changes: 2 additions & 2 deletions pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: e48d0f138fc501b4cc8726d2bc56dae5f0230b155744ea36eb08dfd5e51d823b
createdAt: "2023-12-03T00:22:34Z"
digest: 22f1d93a44d6e62c3329f6609e46b92729549be08cb157b7c1f11581527c4d48
createdAt: "2024-08-21T00:22:34Z"
27 changes: 11 additions & 16 deletions pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,23 +29,18 @@ spec:
- UPDATE
validate:
cel:
cel:
variables:
- name: allContainers
expression: >-
object.spec.containers +
object.spec.?initContainers.orValue([]) +
object.spec.?ephemeralContainers.orValue([])
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))
message: >-
The only permitted hostPorts are in the range 5000-6000.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))
message: >-
The only permitted hostPorts are in the range 5000-6000.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))
variables.allContainers.all(container,
container.?ports.orValue([]).all(port,
size(port) == 0 ||
!has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000) ))
message: >-
The only permitted hostPorts are in the range 5000-6000.
4 changes: 2 additions & 2 deletions pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: 6ef6ef12ea3680c1d610f056ed163539debdf195bed4a3ab688599d7dfaf82e8
createdAt: "2023-12-03T00:22:34Z"
digest: 87d401d722951d3382e4848ee597448ad3a3504749000a57ba89f7a3acd17ba7
createdAt: "2024-08-21T00:22:34Z"
30 changes: 5 additions & 25 deletions pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,29 +28,9 @@ spec:
- UPDATE
validate:
cel:
variables:
- name: allContainers
expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.privileged) ||
container.securityContext.privileged == false)
message: >-
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
must be unset or set to `false`.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.privileged) ||
container.securityContext.privileged == false)
message: >-
Privileged mode is disallowed. The fields spec.initContainers[*].securityContext.privileged
must be unset or set to `false`.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.privileged) ||
container.securityContext.privileged == false)
message: >-
Privileged mode is disallowed. The fields spec.ephemeralContainers[*].securityContext.privileged
must be unset or set to `false`.
- expression: "variables.allContainers.all(container, container.?securityContext.?privileged.orValue(false) == false)"
message: "Privileged mode is disallowed. All containers must set the securityContext.privileged field to `false` or unset the field."
4 changes: 2 additions & 2 deletions pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: b836600d6ae7f490ba39f55df45fa599c88a5c76386ee6faf8a6609ff626179b
createdAt: "2023-12-03T00:22:33Z"
digest: e75db214f9179242625089686a02094d9dbf9ded059b1e71ff909aa0b582b1a5
createdAt: "2024-08-21T00:22:33Z"
30 changes: 5 additions & 25 deletions pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,29 +30,9 @@ spec:
- UPDATE
validate:
cel:
variables:
- name: allContainers
expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.procMount) ||
container.securityContext.procMount == 'Default')
message: >-
Changing the proc mount from the default is not allowed. The field
spec.containers[*].securityContext.procMount must be unset or set to `Default`.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.procMount) ||
container.securityContext.procMount == 'Default')
message: >-
Changing the proc mount from the default is not allowed. The field
spec.initContainers[*].securityContext.procMount must be unset or set to `Default`.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.procMount) ||
container.securityContext.procMount == 'Default')
message: >-
Changing the proc mount from the default is not allowed. The field
spec.ephemeralContainers[*].securityContext.procMount must be unset or set to `Default`.
- expression: "variables.allContainers.all(container, container.?securityContext.?procMount.orValue('Default') == 'Default')"
message: "Changing the proc mount from the default is not allowed."
2 changes: 1 addition & 1 deletion pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: d842a1741805d9480e9a571a80117f4e2c6210b0d984d1c22e54545c3df9dd0d
digest: 03aa7b1e6017f42e75639c61a6593e1ac241ba1f158b72eaa8751c60b6c9d0f5
createdAt: "2023-12-03T00:22:33Z"
Loading

0 comments on commit a50b82a

Please sign in to comment.