Enhanced: Simplify the CEL policy to disallow host ports

Signed-off-by: Lavish pal <[email protected]>
lavishpal · Jul 30, 2024 · 8c6ff12 · 8c6ff12
1 parent 035fb4e
commit 8c6ff12
Showing 1 changed file with 13 additions and 19 deletions.
diff --git a/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml
@@ -30,24 +30,18 @@ spec:
         cel:
           expressions:
             - expression: >- 
-                object.spec.containers.all(container, !has(container.ports) || 
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort
-                must either be unset or set to `0`.
+                [
+                  object.spec.containers,
+                  object.spec.initContainers,
+                  object.spec.ephemeralContainers
+                ].all(containers, !has(containers) ||
+                  containers.all(container, !has(container.ports) ||
+                  container.ports.all(port, !has(port.hostPort) || port.hostPort == 0)
+               )
+              )
+          message: >-
+            Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort,
+            spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
+            must either be unset or set to `0`.
 
-            - expression: >- 
-                !has(object.spec.initContainers) || 
-                object.spec.initContainers.all(container, !has(container.ports) || 
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.initContainers[*].ports[*].hostPort
-                must either be unset or set to `0`.
 
-            - expression: >- 
-                !has(object.spec.ephemeralContainers) ||
-                object.spec.ephemeralContainers.all(container, !has(container.ports) ||
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.ephemeralContainers[*].ports[*].hostPort
-                must either be unset or set to `0`.