From e66a61aff9f75e8497a41890e10d8c5078b6cdb0 Mon Sep 17 00:00:00 2001 From: Ekambaram Pasham Date: Tue, 27 Aug 2024 03:13:20 +0530 Subject: [PATCH 1/2] Simplified CEL Expressions for Pod Security (CEL) Baseline policies (#1129) * disallow-privileged-containers policy is simplified Signed-off-by: epasham * digest value is updated in artifacthub-pkg Signed-off-by: epasham * disallow-capabilities policy is simplified Signed-off-by: epasham * digest value is updated Signed-off-by: epasham * disallow-proc-mount policy is simplified Signed-off-by: epasham * disallow-host-namespaces policy is simplified Signed-off-by: epasham * disallow-host-path is updated Signed-off-by: epasham * disallow-host-ports-range policy is simplified Signed-off-by: epasham * removed duplicate digest Signed-off-by: epasham * removed duplicate digest from artifact pkg file Signed-off-by: epasham * restrict-seccomp policy is simplified Signed-off-by: epasham * restrict-sysctls policy is simplified Signed-off-by: epasham --------- Signed-off-by: epasham Co-authored-by: epasham --- .../disallow-capabilities/artifacthub-pkg.yml | 4 +- .../disallow-capabilities.yaml | 38 ++++----------- .../artifacthub-pkg.yml | 4 +- .../disallow-host-namespaces.yaml | 6 +-- .../disallow-host-path/artifacthub-pkg.yml | 4 +- .../disallow-host-path.yaml | 2 +- .../artifacthub-pkg.yml | 4 +- .../disallow-host-ports-range.yaml | 27 +++++------ .../artifacthub-pkg.yml | 4 +- .../disallow-privileged-containers.yaml | 30 ++---------- .../disallow-proc-mount/artifacthub-pkg.yml | 4 +- .../disallow-proc-mount.yaml | 30 ++---------- .../restrict-seccomp/artifacthub-pkg.yml | 4 +- .../restrict-seccomp/restrict-seccomp.yaml | 47 ++++--------------- .../restrict-sysctls/artifacthub-pkg.yml | 4 +- .../restrict-sysctls/restrict-sysctls.yaml | 13 ++--- 16 files changed, 64 insertions(+), 161 deletions(-) diff --git a/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml index 7d4f6bd83..e1b03f650 100644 --- a/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: e5f9cbb8246d36347c0fe62768e6b62b6b323efb7dd1ac60bc8c220e641220fb -createdAt: "2023-12-03T00:22:33Z" +digest: 581bbe2061d08871889e18bc5a6f58102da467d4fa164084970d96ab2ef3c202 +createdAt: "2024-08-21T00:22:33Z" diff --git a/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml b/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml index 3084fec43..b423f426b 100644 --- a/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml +++ b/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml @@ -26,38 +26,16 @@ spec: - UPDATE validate: cel: + variables: + - name: allowedCapabilities + expression: "['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT']" + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - expression: >- - object.spec.containers.all(container, - !has(container.securityContext) || - !has(container.securityContext.capabilities) || - !has(container.securityContext.capabilities.add) || - container.securityContext.capabilities.add.all(capability, - ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) - message: >- - Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, - FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) - are disallowed. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.capabilities) || - !has(container.securityContext.capabilities.add) || - container.securityContext.capabilities.add.all(capability, - ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) - message: >- - Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, - FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) - are disallowed. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.capabilities) || - !has(container.securityContext.capabilities.add) || - container.securityContext.capabilities.add.all(capability, - ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) + variables.allContainers.all(container, + container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability == '' || + capability in variables.allowedCapabilities)) message: >- Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) diff --git a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml index 3bc6ebf30..ede51bb0e 100644 --- a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: c57ee3440401887541c2d97727fc268d5cd9eb47faf00bea2f0ca738caffe483 -createdAt: "2023-12-03T00:22:34Z" +digest: 52a739e283afddd9c023a5d0b0d8822008a2923f7c0b5544a43cb76540c2c1f9 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml b/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml index d3ac68ac1..2fafe9e33 100644 --- a/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml +++ b/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml @@ -31,9 +31,9 @@ spec: cel: expressions: - expression: >- - (!has(object.spec.hostNetwork) || object.spec.hostNetwork == false) && - (!has(object.spec.hostIPC) || object.spec.hostIPC == false) && - (!has(object.spec.hostPID) || object.spec.hostPID == false) + ( object.spec.?hostNetwork.orValue(false) == false) && + ( object.spec.?hostIPC.orValue(false) == false) && + ( object.spec.?hostPID.orValue(false) == false) message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. diff --git a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml index 522af9210..88c0ff710 100644 --- a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" -digest: 7a78c73a64e61e91876d3ee30c99e1b39774ec885e881f4ffa0be11713710031 -createdAt: "2023-12-03T00:22:34Z" +digest: e03e92172513193882011b17c9bf4d66af1637a280c0cd6d696db580eea06558 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml b/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml index 58bb7109c..faa358038 100644 --- a/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml +++ b/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml @@ -29,5 +29,5 @@ spec: validate: cel: expressions: - - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" + - expression: "object.spec.?volumes.orValue([]).all(volume, size(volume) == 0 || !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset" diff --git a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml index 300feec3e..d5c83c72c 100644 --- a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: e48d0f138fc501b4cc8726d2bc56dae5f0230b155744ea36eb08dfd5e51d823b -createdAt: "2023-12-03T00:22:34Z" +digest: 22f1d93a44d6e62c3329f6609e46b92729549be08cb157b7c1f11581527c4d48 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml index d64e350a7..b67269271 100644 --- a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml +++ b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml @@ -29,23 +29,18 @@ spec: - UPDATE validate: cel: + cel: + variables: + - name: allContainers + expression: >- + object.spec.containers + + object.spec.?initContainers.orValue([]) + + object.spec.?ephemeralContainers.orValue([]) expressions: - expression: >- - object.spec.containers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) - message: >- - The only permitted hostPorts are in the range 5000-6000. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) - message: >- - The only permitted hostPorts are in the range 5000-6000. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) + variables.allContainers.all(container, + container.?ports.orValue([]).all(port, + size(port) == 0 || + !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000) )) message: >- The only permitted hostPorts are in the range 5000-6000. diff --git a/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml index d51943d7e..346873cc6 100644 --- a/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 6ef6ef12ea3680c1d610f056ed163539debdf195bed4a3ab688599d7dfaf82e8 -createdAt: "2023-12-03T00:22:34Z" +digest: 87d401d722951d3382e4848ee597448ad3a3504749000a57ba89f7a3acd17ba7 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml b/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml index df67481c9..5046692e4 100644 --- a/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml +++ b/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml @@ -28,29 +28,9 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.privileged) || - container.securityContext.privileged == false) - message: >- - Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged - must be unset or set to `false`. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.privileged) || - container.securityContext.privileged == false) - message: >- - Privileged mode is disallowed. The fields spec.initContainers[*].securityContext.privileged - must be unset or set to `false`. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.privileged) || - container.securityContext.privileged == false) - message: >- - Privileged mode is disallowed. The fields spec.ephemeralContainers[*].securityContext.privileged - must be unset or set to `false`. + - expression: "variables.allContainers.all(container, container.?securityContext.?privileged.orValue(false) == false)" + message: "Privileged mode is disallowed. All containers must set the securityContext.privileged field to `false` or unset the field." diff --git a/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml index 8ee2a461b..92e3f88d3 100644 --- a/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: b836600d6ae7f490ba39f55df45fa599c88a5c76386ee6faf8a6609ff626179b -createdAt: "2023-12-03T00:22:33Z" +digest: e75db214f9179242625089686a02094d9dbf9ded059b1e71ff909aa0b582b1a5 +createdAt: "2024-08-21T00:22:33Z" diff --git a/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml b/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml index 42dbbcf9e..6b12ea58d 100644 --- a/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml +++ b/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml @@ -30,29 +30,9 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.procMount) || - container.securityContext.procMount == 'Default') - message: >- - Changing the proc mount from the default is not allowed. The field - spec.containers[*].securityContext.procMount must be unset or set to `Default`. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.procMount) || - container.securityContext.procMount == 'Default') - message: >- - Changing the proc mount from the default is not allowed. The field - spec.initContainers[*].securityContext.procMount must be unset or set to `Default`. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.procMount) || - container.securityContext.procMount == 'Default') - message: >- - Changing the proc mount from the default is not allowed. The field - spec.ephemeralContainers[*].securityContext.procMount must be unset or set to `Default`. + - expression: "variables.allContainers.all(container, container.?securityContext.?procMount.orValue('Default') == 'Default')" + message: "Changing the proc mount from the default is not allowed." diff --git a/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml index 359c6c7bd..33895bece 100644 --- a/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: ba179d3d3d4435152b80e3aefbae44edd59b2300cd30395cde1c0a015e135f09 -createdAt: "2023-12-03T00:22:34Z" +digest: c239371f4dd418e2410b05bbf0893d81255e0ac06fa62e169e71506123d88cf5 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml b/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml index e54a3c69b..4e74a34f6 100644 --- a/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml +++ b/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml @@ -29,45 +29,18 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + - name: allowedProfileTypes + expression: "['RuntimeDefault', 'Localhost']" expressions: - expression: >- - !has(object.spec.securityContext) || - !has(object.spec.securityContext.seccompProfile) || - !has(object.spec.securityContext.seccompProfile.type) || - object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' || - object.spec.securityContext.seccompProfile.type == 'Localhost' - message: >- - Use of custom Seccomp profiles is disallowed. The field - spec.securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. - - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.seccompProfile) || - !has(container.securityContext.seccompProfile.type) || - container.securityContext.seccompProfile.type == 'RuntimeDefault' || - container.securityContext.seccompProfile.type == 'Localhost') + (object.spec.?securityContext.?seccompProfile.?type.orValue('Localhost') + in variables.allowedProfileTypes) && + (variables.allContainers.all(container, + container.?securityContext.?seccompProfile.?type.orValue('Localhost') + in variables.allowedProfileTypes)) message: >- Use of custom Seccomp profiles is disallowed. The field spec.containers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.seccompProfile) || - !has(container.securityContext.seccompProfile.type) || - container.securityContext.seccompProfile.type == 'RuntimeDefault' || - container.securityContext.seccompProfile.type == 'Localhost') - message: >- - Use of custom Seccomp profiles is disallowed. The field - spec.initContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.seccompProfile) || - !has(container.securityContext.seccompProfile.type) || - container.securityContext.seccompProfile.type == 'RuntimeDefault' || - container.securityContext.seccompProfile.type == 'Localhost') - message: >- - Use of custom Seccomp profiles is disallowed. The field - spec.ephemeralContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. diff --git a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml index 737e81be9..98cfe547e 100644 --- a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 97f75f8cdd2e3ee9f9696cdceccc34cf0df5edbca0e3bbab76572494a26ce6e8 -createdAt: "2023-12-03T00:22:33Z" +digest: 451731aeba70f3c37f7a58cc1ba47b7fed8ffc8971e4a664c81406004f93b61c +createdAt: "2024-08-21T00:22:33Z" diff --git a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml index d564df539..294685d36 100644 --- a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml +++ b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml @@ -32,16 +32,13 @@ spec: - UPDATE validate: cel: + variables: + - name: allowedSysctls + expression: "['kernel.shm_rmid_forced','net.ipv4.ip_local_port_range','net.ipv4.ip_unprivileged_port_start','net.ipv4.tcp_syncookies','net.ipv4.ping_group_range']" expressions: - expression: >- - !has(object.spec.securityContext) || - !has(object.spec.securityContext.sysctls) || - object.spec.securityContext.sysctls.all(sysctl, !has(sysctl.name) || - sysctl.name == 'kernel.shm_rmid_forced' || - sysctl.name == 'net.ipv4.ip_local_port_range' || - sysctl.name == 'net.ipv4.ip_unprivileged_port_start' || - sysctl.name == 'net.ipv4.tcp_syncookies' || - sysctl.name == 'net.ipv4.ping_group_range') + object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, sysctl == '' || + has(sysctl.name) && sysctl.name in variables.allowedSysctls) message: >- Setting additional sysctls above the allowed type is disallowed. The field spec.securityContext.sysctls must be unset or not use any other names From 6a8795cb6e8f3e1f6185b39b510bae69e1bd65fa Mon Sep 17 00:00:00 2001 From: siddhikhapare <81567515+siddhikhapare@users.noreply.github.com> Date: Tue, 27 Aug 2024 03:21:29 +0530 Subject: [PATCH 2/2] Updated cel expression of selinux (#1122) Signed-off-by: siddhikhapare Co-authored-by: Jim Bugwadia --- .../disallow-selinux/artifacthub-pkg.yml | 2 +- .../disallow-selinux/disallow-selinux.yaml | 91 +++++-------------- 2 files changed, 23 insertions(+), 70 deletions(-) diff --git a/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml index a0d6fa163..2588b4ebe 100644 --- a/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: d842a1741805d9480e9a571a80117f4e2c6210b0d984d1c22e54545c3df9dd0d +digest: 03aa7b1e6017f42e75639c61a6593e1ac241ba1f158b72eaa8751c60b6c9d0f5 createdAt: "2023-12-03T00:22:33Z" diff --git a/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml b/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml index 983ebe1f1..b78bbd4ce 100644 --- a/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml +++ b/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml @@ -28,52 +28,24 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainerTypes + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + - name: seLinuxTypes + expression: "['container_t', 'container_init_t', 'container_kvm_t']" expressions: - - expression: >- - !has(object.spec.securityContext) || + - expression: >- + (!has(object.spec.securityContext) || !has(object.spec.securityContext.seLinuxOptions) || !has(object.spec.securityContext.seLinuxOptions.type) || - object.spec.securityContext.seLinuxOptions.type == 'container_t' || - object.spec.securityContext.seLinuxOptions.type == 'container_init_t' || - object.spec.securityContext.seLinuxOptions.type == 'container_kvm_t' - message: >- - Setting the SELinux type is restricted. The field spec.securityContext.seLinuxOptions.type - must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). - - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.seLinuxOptions) || - !has(container.securityContext.seLinuxOptions.type) || - container.securityContext.seLinuxOptions.type == 'container_t' || - container.securityContext.seLinuxOptions.type == 'container_init_t' || - container.securityContext.seLinuxOptions.type == 'container_kvm_t') - message: >- - Setting the SELinux type is restricted. The field spec.containers[*].securityContext.seLinuxOptions.type - must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.seLinuxOptions) || - !has(container.securityContext.seLinuxOptions.type) || - container.securityContext.seLinuxOptions.type == 'container_t' || - container.securityContext.seLinuxOptions.type == 'container_init_t' || - container.securityContext.seLinuxOptions.type == 'container_kvm_t') - message: >- - Setting the SELinux type is restricted. The field spec.initContainers[*].securityContext.seLinuxOptions.type - must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + variables.seLinuxTypes.exists(type, type == object.spec.securityContext.seLinuxOptions.type)) && + variables.allContainerTypes.all(container, + !has(container.securityContext) || !has(container.securityContext.seLinuxOptions) || !has(container.securityContext.seLinuxOptions.type) || - container.securityContext.seLinuxOptions.type == 'container_t' || - container.securityContext.seLinuxOptions.type == 'container_init_t' || - container.securityContext.seLinuxOptions.type == 'container_kvm_t') + variables.seLinuxTypes.exists(type, type == container.securityContext.seLinuxOptions.type)) message: >- - Setting the SELinux type is restricted. The field spec.ephemeralContainers[*].securityContext.seLinuxOptions.type - must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). + Setting the SELinux type is restricted. The field securityContext.seLinuxOptions.type must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). - name: selinux-user-role match: any: @@ -85,37 +57,18 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainerTypes + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: >- - !has(object.spec.securityContext) || + - expression: >- + (!has(object.spec.securityContext) || !has(object.spec.securityContext.seLinuxOptions) || - (!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role)) - message: >- - Setting the SELinux user or role is forbidden. The fields - spec.securityContext.seLinuxOptions.user and spec.securityContext.seLinuxOptions.role must be unset. - - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.seLinuxOptions) || - (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role))) - message: >- - Setting the SELinux user or role is forbidden. The fields - spec.containers[*].securityContext.seLinuxOptions.user and spec.containers[*].securityContext.seLinuxOptions.role must be unset. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.seLinuxOptions) || - (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role))) - message: >- - Setting the SELinux user or role is forbidden. The fields - spec.initContainers[*].securityContext.seLinuxOptions.user and spec.initContainers[*].securityContext.seLinuxOptions.role must be unset. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + (!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role))) && + variables.allContainerTypes.all(container, + !has(container.securityContext) || !has(container.securityContext.seLinuxOptions) || (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role))) message: >- - Setting the SELinux user or role is forbidden. The fields - spec.ephemeralContainers[*].securityContext.seLinuxOptions.user and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role must be unset. + Setting the SELinux user or role is forbidden. The fields seLinuxOptions.user and seLinuxOptions.role must be unset. + \ No newline at end of file