From c874d4001c836551c1b9e934459a1b7e869e9f44 Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 09:41:41 +0000 Subject: [PATCH 01/14] disallow-privileged-containers policy is simplified Signed-off-by: epasham --- .../disallow-privileged-containers.yaml | 30 ++++--------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml b/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml index df67481c9..5046692e4 100644 --- a/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml +++ b/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml @@ -28,29 +28,9 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.privileged) || - container.securityContext.privileged == false) - message: >- - Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged - must be unset or set to `false`. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.privileged) || - container.securityContext.privileged == false) - message: >- - Privileged mode is disallowed. The fields spec.initContainers[*].securityContext.privileged - must be unset or set to `false`. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.privileged) || - container.securityContext.privileged == false) - message: >- - Privileged mode is disallowed. The fields spec.ephemeralContainers[*].securityContext.privileged - must be unset or set to `false`. + - expression: "variables.allContainers.all(container, container.?securityContext.?privileged.orValue(false) == false)" + message: "Privileged mode is disallowed. All containers must set the securityContext.privileged field to `false` or unset the field." From 2912dc2c311a049f70d61e39dbd1407e0132610b Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 09:44:53 +0000 Subject: [PATCH 02/14] digest value is updated in artifacthub-pkg Signed-off-by: epasham --- .../disallow-privileged-containers/artifacthub-pkg.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml index d51943d7e..346873cc6 100644 --- a/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 6ef6ef12ea3680c1d610f056ed163539debdf195bed4a3ab688599d7dfaf82e8 -createdAt: "2023-12-03T00:22:34Z" +digest: 87d401d722951d3382e4848ee597448ad3a3504749000a57ba89f7a3acd17ba7 +createdAt: "2024-08-21T00:22:34Z" From 1ac99752269c1fbf0a50e906f56adb8ba361c7a3 Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 09:48:17 +0000 Subject: [PATCH 03/14] disallow-capabilities policy is simplified Signed-off-by: epasham --- .../disallow-capabilities.yaml | 38 ++++--------------- 1 file changed, 8 insertions(+), 30 deletions(-) diff --git a/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml b/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml index 3084fec43..b423f426b 100644 --- a/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml +++ b/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml @@ -26,38 +26,16 @@ spec: - UPDATE validate: cel: + variables: + - name: allowedCapabilities + expression: "['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT']" + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - expression: >- - object.spec.containers.all(container, - !has(container.securityContext) || - !has(container.securityContext.capabilities) || - !has(container.securityContext.capabilities.add) || - container.securityContext.capabilities.add.all(capability, - ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) - message: >- - Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, - FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) - are disallowed. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.capabilities) || - !has(container.securityContext.capabilities.add) || - container.securityContext.capabilities.add.all(capability, - ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) - message: >- - Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, - FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) - are disallowed. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.capabilities) || - !has(container.securityContext.capabilities.add) || - container.securityContext.capabilities.add.all(capability, - ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) + variables.allContainers.all(container, + container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability == '' || + capability in variables.allowedCapabilities)) message: >- Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) From 09a6e571435cdc8a8d5b938e71aca3132b713ed0 Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 09:51:14 +0000 Subject: [PATCH 04/14] digest value is updated Signed-off-by: epasham --- .../baseline/disallow-capabilities/artifacthub-pkg.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml index 7d4f6bd83..e1b03f650 100644 --- a/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: e5f9cbb8246d36347c0fe62768e6b62b6b323efb7dd1ac60bc8c220e641220fb -createdAt: "2023-12-03T00:22:33Z" +digest: 581bbe2061d08871889e18bc5a6f58102da467d4fa164084970d96ab2ef3c202 +createdAt: "2024-08-21T00:22:33Z" From 957c7ac8e975fe4284d37a8e50aa991cf21a58cc Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 10:07:59 +0000 Subject: [PATCH 05/14] disallow-proc-mount policy is simplified Signed-off-by: epasham --- .../disallow-proc-mount/artifacthub-pkg.yml | 4 +-- .../disallow-proc-mount.yaml | 30 ++++--------------- 2 files changed, 7 insertions(+), 27 deletions(-) diff --git a/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml index 8ee2a461b..92e3f88d3 100644 --- a/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: b836600d6ae7f490ba39f55df45fa599c88a5c76386ee6faf8a6609ff626179b -createdAt: "2023-12-03T00:22:33Z" +digest: e75db214f9179242625089686a02094d9dbf9ded059b1e71ff909aa0b582b1a5 +createdAt: "2024-08-21T00:22:33Z" diff --git a/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml b/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml index 42dbbcf9e..6b12ea58d 100644 --- a/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml +++ b/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml @@ -30,29 +30,9 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.procMount) || - container.securityContext.procMount == 'Default') - message: >- - Changing the proc mount from the default is not allowed. The field - spec.containers[*].securityContext.procMount must be unset or set to `Default`. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.procMount) || - container.securityContext.procMount == 'Default') - message: >- - Changing the proc mount from the default is not allowed. The field - spec.initContainers[*].securityContext.procMount must be unset or set to `Default`. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.procMount) || - container.securityContext.procMount == 'Default') - message: >- - Changing the proc mount from the default is not allowed. The field - spec.ephemeralContainers[*].securityContext.procMount must be unset or set to `Default`. + - expression: "variables.allContainers.all(container, container.?securityContext.?procMount.orValue('Default') == 'Default')" + message: "Changing the proc mount from the default is not allowed." From ff14abdf07344af16cf2e88261370a7aadff9d0f Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 10:45:46 +0000 Subject: [PATCH 06/14] disallow-host-namespaces policy is simplified Signed-off-by: epasham --- .../baseline/disallow-host-namespaces/artifacthub-pkg.yml | 3 ++- .../disallow-host-namespaces/disallow-host-namespaces.yaml | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml index 3bc6ebf30..27f5c73ce 100644 --- a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml @@ -20,4 +20,5 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" digest: c57ee3440401887541c2d97727fc268d5cd9eb47faf00bea2f0ca738caffe483 -createdAt: "2023-12-03T00:22:34Z" +digest: 52a739e283afddd9c023a5d0b0d8822008a2923f7c0b5544a43cb76540c2c1f9 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml b/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml index d3ac68ac1..2fafe9e33 100644 --- a/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml +++ b/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml @@ -31,9 +31,9 @@ spec: cel: expressions: - expression: >- - (!has(object.spec.hostNetwork) || object.spec.hostNetwork == false) && - (!has(object.spec.hostIPC) || object.spec.hostIPC == false) && - (!has(object.spec.hostPID) || object.spec.hostPID == false) + ( object.spec.?hostNetwork.orValue(false) == false) && + ( object.spec.?hostIPC.orValue(false) == false) && + ( object.spec.?hostPID.orValue(false) == false) message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. From 1e06a8e8c87cfa582c42e780e41de5810794395e Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 10:52:29 +0000 Subject: [PATCH 07/14] disallow-host-path is updated Signed-off-by: epasham --- .../baseline/disallow-host-path/artifacthub-pkg.yml | 3 ++- .../baseline/disallow-host-path/disallow-host-path.yaml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml index 522af9210..c87b20bb9 100644 --- a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml @@ -20,4 +20,5 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" digest: 7a78c73a64e61e91876d3ee30c99e1b39774ec885e881f4ffa0be11713710031 -createdAt: "2023-12-03T00:22:34Z" +digest: e03e92172513193882011b17c9bf4d66af1637a280c0cd6d696db580eea06558 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml b/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml index 58bb7109c..faa358038 100644 --- a/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml +++ b/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml @@ -29,5 +29,5 @@ spec: validate: cel: expressions: - - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" + - expression: "object.spec.?volumes.orValue([]).all(volume, size(volume) == 0 || !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset" From 2f6b11c5dd0d98add3e141bca58c6e2155d958aa Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 10:57:42 +0000 Subject: [PATCH 08/14] disallow-host-ports-range policy is simplified Signed-off-by: epasham --- .../artifacthub-pkg.yml | 4 +-- .../disallow-host-ports-range.yaml | 27 ++++++++----------- 2 files changed, 13 insertions(+), 18 deletions(-) diff --git a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml index 300feec3e..d5c83c72c 100644 --- a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: e48d0f138fc501b4cc8726d2bc56dae5f0230b155744ea36eb08dfd5e51d823b -createdAt: "2023-12-03T00:22:34Z" +digest: 22f1d93a44d6e62c3329f6609e46b92729549be08cb157b7c1f11581527c4d48 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml index d64e350a7..b67269271 100644 --- a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml +++ b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml @@ -29,23 +29,18 @@ spec: - UPDATE validate: cel: + cel: + variables: + - name: allContainers + expression: >- + object.spec.containers + + object.spec.?initContainers.orValue([]) + + object.spec.?ephemeralContainers.orValue([]) expressions: - expression: >- - object.spec.containers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) - message: >- - The only permitted hostPorts are in the range 5000-6000. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) - message: >- - The only permitted hostPorts are in the range 5000-6000. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) + variables.allContainers.all(container, + container.?ports.orValue([]).all(port, + size(port) == 0 || + !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000) )) message: >- The only permitted hostPorts are in the range 5000-6000. From 4920e4beec6c981e44b586ef0a22d18a4f0d8e13 Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 11:13:10 +0000 Subject: [PATCH 09/14] removed duplicate digest Signed-off-by: epasham --- .../baseline/disallow-host-namespaces/artifacthub-pkg.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml index 27f5c73ce..ede51bb0e 100644 --- a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml @@ -19,6 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: c57ee3440401887541c2d97727fc268d5cd9eb47faf00bea2f0ca738caffe483 digest: 52a739e283afddd9c023a5d0b0d8822008a2923f7c0b5544a43cb76540c2c1f9 createdAt: "2024-08-21T00:22:34Z" From c42117c946e064d18eeab464ebbbcf69472cc953 Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 11:15:49 +0000 Subject: [PATCH 10/14] removed duplicate digest from artifact pkg file Signed-off-by: epasham --- pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml index c87b20bb9..88c0ff710 100644 --- a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml @@ -19,6 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" -digest: 7a78c73a64e61e91876d3ee30c99e1b39774ec885e881f4ffa0be11713710031 digest: e03e92172513193882011b17c9bf4d66af1637a280c0cd6d696db580eea06558 createdAt: "2024-08-21T00:22:34Z" From de7d93c4de772d02bb487480377a81af81502167 Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 11:37:53 +0000 Subject: [PATCH 11/14] restrict-seccomp policy is simplified Signed-off-by: epasham --- .../restrict-seccomp/artifacthub-pkg.yml | 4 +- .../restrict-seccomp/restrict-seccomp.yaml | 47 ++++--------------- 2 files changed, 12 insertions(+), 39 deletions(-) diff --git a/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml index 359c6c7bd..33895bece 100644 --- a/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: ba179d3d3d4435152b80e3aefbae44edd59b2300cd30395cde1c0a015e135f09 -createdAt: "2023-12-03T00:22:34Z" +digest: c239371f4dd418e2410b05bbf0893d81255e0ac06fa62e169e71506123d88cf5 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml b/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml index e54a3c69b..4e74a34f6 100644 --- a/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml +++ b/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml @@ -29,45 +29,18 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + - name: allowedProfileTypes + expression: "['RuntimeDefault', 'Localhost']" expressions: - expression: >- - !has(object.spec.securityContext) || - !has(object.spec.securityContext.seccompProfile) || - !has(object.spec.securityContext.seccompProfile.type) || - object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' || - object.spec.securityContext.seccompProfile.type == 'Localhost' - message: >- - Use of custom Seccomp profiles is disallowed. The field - spec.securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. - - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.seccompProfile) || - !has(container.securityContext.seccompProfile.type) || - container.securityContext.seccompProfile.type == 'RuntimeDefault' || - container.securityContext.seccompProfile.type == 'Localhost') + (object.spec.?securityContext.?seccompProfile.?type.orValue('Localhost') + in variables.allowedProfileTypes) && + (variables.allContainers.all(container, + container.?securityContext.?seccompProfile.?type.orValue('Localhost') + in variables.allowedProfileTypes)) message: >- Use of custom Seccomp profiles is disallowed. The field spec.containers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.seccompProfile) || - !has(container.securityContext.seccompProfile.type) || - container.securityContext.seccompProfile.type == 'RuntimeDefault' || - container.securityContext.seccompProfile.type == 'Localhost') - message: >- - Use of custom Seccomp profiles is disallowed. The field - spec.initContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.seccompProfile) || - !has(container.securityContext.seccompProfile.type) || - container.securityContext.seccompProfile.type == 'RuntimeDefault' || - container.securityContext.seccompProfile.type == 'Localhost') - message: >- - Use of custom Seccomp profiles is disallowed. The field - spec.ephemeralContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. From 1defa050e0afad97754db20f20f9b0b679138e4d Mon Sep 17 00:00:00 2001 From: epasham Date: Wed, 21 Aug 2024 11:42:32 +0000 Subject: [PATCH 12/14] restrict-sysctls policy is simplified Signed-off-by: epasham --- .../baseline/restrict-sysctls/artifacthub-pkg.yml | 4 ++-- .../baseline/restrict-sysctls/restrict-sysctls.yaml | 13 +++++-------- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml index 737e81be9..98cfe547e 100644 --- a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 97f75f8cdd2e3ee9f9696cdceccc34cf0df5edbca0e3bbab76572494a26ce6e8 -createdAt: "2023-12-03T00:22:33Z" +digest: 451731aeba70f3c37f7a58cc1ba47b7fed8ffc8971e4a664c81406004f93b61c +createdAt: "2024-08-21T00:22:33Z" diff --git a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml index d564df539..294685d36 100644 --- a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml +++ b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml @@ -32,16 +32,13 @@ spec: - UPDATE validate: cel: + variables: + - name: allowedSysctls + expression: "['kernel.shm_rmid_forced','net.ipv4.ip_local_port_range','net.ipv4.ip_unprivileged_port_start','net.ipv4.tcp_syncookies','net.ipv4.ping_group_range']" expressions: - expression: >- - !has(object.spec.securityContext) || - !has(object.spec.securityContext.sysctls) || - object.spec.securityContext.sysctls.all(sysctl, !has(sysctl.name) || - sysctl.name == 'kernel.shm_rmid_forced' || - sysctl.name == 'net.ipv4.ip_local_port_range' || - sysctl.name == 'net.ipv4.ip_unprivileged_port_start' || - sysctl.name == 'net.ipv4.tcp_syncookies' || - sysctl.name == 'net.ipv4.ping_group_range') + object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, sysctl == '' || + has(sysctl.name) && sysctl.name in variables.allowedSysctls) message: >- Setting additional sysctls above the allowed type is disallowed. The field spec.securityContext.sysctls must be unset or not use any other names From b597d251f16384fcd79d700492416b298999dbd7 Mon Sep 17 00:00:00 2001 From: epasham Date: Tue, 27 Aug 2024 12:06:31 +0000 Subject: [PATCH 13/14] disallow-host-process is simplified Signed-off-by: epasham --- .../baseline/disallow-host-process/artifacthub-pkg.yml | 4 ++-- .../disallow-host-process/disallow-host-process.yaml | 5 +---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml index 5c34fd693..e8d224546 100644 --- a/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 338a31daa29f6303a1b67e727631a4ea60abcc3bef1c6f322f8835fc8c6ddc17 -createdAt: "2023-12-03T00:22:34Z" +digest: 37386d4c35fe393c0957f0e52ddf818b38d31cb5440e3bcc155161b1f79e47c4 +createdAt: "2024-08-27T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml b/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml index 2d7269f15..da74ffd67 100644 --- a/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml +++ b/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml @@ -35,10 +35,7 @@ spec: expressions: - expression: >- variables.allContainers.all(container, - !has(container.securityContext) || - !has(container.securityContext.windowsOptions) || - !has(container.securityContext.windowsOptions.hostProcess) || - container.securityContext.windowsOptions.hostProcess == false) + container.?securityContext.?windowsOptions.?hostProcess.orValue(false) == false) message: >- HostProcess containers are disallowed. The field spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess, and From 8762743d49fa3edaf906c5bfc952152b4e52bcae Mon Sep 17 00:00:00 2001 From: epasham Date: Fri, 30 Aug 2024 08:24:41 +0000 Subject: [PATCH 14/14] disallow-privilege-escalation policy is simplified Signed-off-by: epasham --- .../artifacthub-pkg.yml | 4 +-- .../disallow-privilege-escalation.yaml | 34 ++++++------------- 2 files changed, 12 insertions(+), 26 deletions(-) diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index 2985acbe3..f7446b3cf 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 6c249b689ee08cc1edcbacf7a00a35cab98d5b1b2bf3fc7ebd8a0dd1e27bb2c1 -createdAt: "2023-12-04T09:04:49Z" +digest: 3d361694af595b4070d5ad6ef8e65f893069209a29b7b23d026ea685393e96b5 +createdAt: "2024-08-30T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml index 5fc1229ae..db6c6ffce 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -28,30 +28,16 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainers + expression: >- + object.spec.containers + + object.spec.?initContainers.orValue([]) + + object.spec.?ephemeralContainers.orValue([]) expressions: - expression: >- - object.spec.containers.all(container, has(container.securityContext) && - has(container.securityContext.allowPrivilegeEscalation) && - container.securityContext.allowPrivilegeEscalation == false) + variables.allContainers.all(container, + container.?securityContext.?allowPrivilegeEscalation.orValue(false) == false) message: >- - Privilege escalation is disallowed. The field - spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, has(container.securityContext) && - has(container.securityContext.allowPrivilegeEscalation) && - container.securityContext.allowPrivilegeEscalation == false) - message: >- - Privilege escalation is disallowed. The field - spec.initContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, has(container.securityContext) && - has(container.securityContext.allowPrivilegeEscalation) && - container.securityContext.allowPrivilegeEscalation == false) - message: >- - Privilege escalation is disallowed. The field - spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`. - \ No newline at end of file + Privilege escalation is disallowed. + All containers must set the securityContext.allowPrivilegeEscalation field to `false`.