From a95ef0213f34f39f68ea57e959a24284be89d711 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Wed, 7 Aug 2024 16:22:05 +0300 Subject: [PATCH 1/9] fix: use generateExisting instead of generateExistingOnPolicyUpdate (#1119) Signed-off-by: Mariam Fahmy --- .../argo-cluster-generation-from-rancher-capi.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../artifacthub-pkg.yml | 2 +- .../config-syncer-secret-generation-from-rancher-capi.yaml | 2 +- other/generate-networkpolicy-existing/artifacthub-pkg.yml | 2 +- .../generate-networkpolicy-existing.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml b/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml index 6c4b889dc..bf16f6401 100644 --- a/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml +++ b/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml @@ -19,7 +19,7 @@ metadata: "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053 "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret". spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - name: source-rancher-non-local-cluster-and-capi-secret match: diff --git a/argo/argo-cluster-generation-from-rancher-capi/artifacthub-pkg.yml b/argo/argo-cluster-generation-from-rancher-capi/artifacthub-pkg.yml index ab582087d..66afffd14 100644 --- a/argo/argo-cluster-generation-from-rancher-capi/artifacthub-pkg.yml +++ b/argo/argo-cluster-generation-from-rancher-capi/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Argo" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Secret" -digest: ddc3b0655fa1302142238ec869466e5f2ce2547f2f683effc7e5b0a813803b54 +digest: 955247857bea3c8e70733e8dc214406319f08ded53700ba42a8bc59dfcf94aa5 diff --git a/kubeops/config-syncer-secret-generation-from-rancher-capi/artifacthub-pkg.yml b/kubeops/config-syncer-secret-generation-from-rancher-capi/artifacthub-pkg.yml index 7d08b5010..0b3e4f859 100644 --- a/kubeops/config-syncer-secret-generation-from-rancher-capi/artifacthub-pkg.yml +++ b/kubeops/config-syncer-secret-generation-from-rancher-capi/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Kubeops" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Secret" -digest: f45a05bf32cc4f14e962c58b62fbb69144d04a04a97abb08fe69e6c5843eb8e5 +digest: 9ce7e5f048b29eeef789ebf868ed508a593a43a49b3ae76a8e031160779d77bf diff --git a/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml b/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml index 4d2abb202..bbe146fbd 100644 --- a/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml +++ b/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml @@ -16,7 +16,7 @@ metadata: required by the Kubeops Config Syncer for it to sync ConfigMaps/Secrets from the Rancher management cluster to downstream clusters. spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - name: source-rancher-non-local-cluster-and-capi-secret match: diff --git a/other/generate-networkpolicy-existing/artifacthub-pkg.yml b/other/generate-networkpolicy-existing/artifacthub-pkg.yml index a681e1d91..250dcff9a 100644 --- a/other/generate-networkpolicy-existing/artifacthub-pkg.yml +++ b/other/generate-networkpolicy-existing/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Namespace, NetworkPolicy" -digest: 4cf8c5f46d007fdeb4f4da902003f65cbf9c783458ec752c342e5521eccf8c38 +digest: 4b22640f313949b16d47e144996489a7070e952b06e68f3ad1dc9ee5e013d976 diff --git a/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml b/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml index 27bfa2c27..cbb2069d4 100644 --- a/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml +++ b/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml @@ -17,7 +17,7 @@ metadata: is additional overhead. This policy creates a new NetworkPolicy for existing Namespaces which results in a default deny behavior and labels it with created-by=kyverno. spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - name: generate-existing-networkpolicy match: From 35bc1bc8a0cec87b83f9b8cd937425657736d9c2 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 7 Aug 2024 22:58:15 -0700 Subject: [PATCH 2/9] update permissions (#1116) * update permissions Signed-off-by: Jim Bugwadia * add role aggregation labels for older versions Signed-off-by: Jim Bugwadia --------- Signed-off-by: Jim Bugwadia --- .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 49 ++++++++++++++++++ .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 33 ++++++++++++ .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 16 ++++++ .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 17 +++++++ .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 51 +++++++++++++++++++ .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 17 +++++++ .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 19 +++++++ .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 17 +++++++ .../.chainsaw-test/chainsaw-test.yaml | 4 +- .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 17 +++++++ .../.chainsaw-test/chainsaw-test.yaml | 4 +- .../.chainsaw-test/crb.yaml | 27 +++++++++- .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 17 +++++++ .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 17 +++++++ .../.chainsaw-test/chainsaw-test.yaml | 2 + .../.chainsaw-test/permissions.yaml | 33 ++++++++++++ 27 files changed, 356 insertions(+), 6 deletions(-) create mode 100644 argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/permissions.yaml create mode 100644 istio/create-authorizationpolicy/.chainsaw-test/permissions.yaml create mode 100644 istio/require-authorizationpolicy/.chainsaw-test/permissions.yaml create mode 100644 kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/permissions.yaml create mode 100644 kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/permissions.yaml create mode 100644 kubevirt/add-services/.chainsaw-test/permissions.yaml create mode 100644 linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/permissions.yaml create mode 100644 linkerd/require-linkerd-server/.chainsaw-test/permissions.yaml create mode 100644 other/inspect-csr/.chainsaw-test/permissions.yaml create mode 100644 other/prevent-duplicate-vpa/.chainsaw-test/permissions.yaml create mode 100644 other/restrict-secrets-by-label/.chainsaw-test/permissions.yaml create mode 100644 other/sync-secrets/.chainsaw-test/permissions.yaml diff --git a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml index 10af34e33..1e1a78519 100755 --- a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml +++ b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml @@ -12,6 +12,8 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1.yaml - apply: diff --git a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/permissions.yaml b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..18dae3424 --- /dev/null +++ b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/permissions.yaml @@ -0,0 +1,49 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:view + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:manage + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:clusters + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - 'provisioning.cattle.io' + resources: + - clusters + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/istio/create-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml b/istio/create-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml index 793b431c2..d5308e06a 100755 --- a/istio/create-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml +++ b/istio/create-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml @@ -12,6 +12,8 @@ spec: file: chainsaw-step-01-assert-1.yaml - name: step-02 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-02-apply-1.yaml - name: step-04 diff --git a/istio/create-authorizationpolicy/.chainsaw-test/permissions.yaml b/istio/create-authorizationpolicy/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..5075ffc73 --- /dev/null +++ b/istio/create-authorizationpolicy/.chainsaw-test/permissions.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:istio:auth:view + labels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - 'security.istio.io' + resources: + - authorizationpolicies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:istio:auth:edit + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - 'security.istio.io' + resources: + - authorizationpolicies + verbs: + - create + - update + - delete diff --git a/istio/require-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml b/istio/require-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml index dcc772a0f..b3e41b721 100755 --- a/istio/require-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml +++ b/istio/require-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml @@ -8,6 +8,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1.yaml - apply: diff --git a/istio/require-authorizationpolicy/.chainsaw-test/permissions.yaml b/istio/require-authorizationpolicy/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..0d4153746 --- /dev/null +++ b/istio/require-authorizationpolicy/.chainsaw-test/permissions.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:istio:auth:view + labels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - 'security.istio.io' + resources: + - authorizationpolicies + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml index ba2a4623f..9d72e2bce 100755 --- a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml +++ b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml @@ -8,6 +8,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1.yaml - assert: diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/permissions.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..2f31131bc --- /dev/null +++ b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:kasten:view + labels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - config.kio.kasten.io + resources: + - policies + verbs: + - get + - list + - watch diff --git a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml index ce88041b6..bf52d7bb1 100755 --- a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml +++ b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml @@ -12,6 +12,8 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1.yaml - apply: diff --git a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/permissions.yaml b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..ef3f1fbdd --- /dev/null +++ b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/permissions.yaml @@ -0,0 +1,51 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rancher:cluster + labels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - 'provisioning.cattle.io' + resources: + - clusters + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:view + labels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:manage + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - update + - delete \ No newline at end of file diff --git a/kubevirt/add-services/.chainsaw-test/chainsaw-test.yaml b/kubevirt/add-services/.chainsaw-test/chainsaw-test.yaml index c6d29f1ab..65e704a8e 100755 --- a/kubevirt/add-services/.chainsaw-test/chainsaw-test.yaml +++ b/kubevirt/add-services/.chainsaw-test/chainsaw-test.yaml @@ -12,6 +12,8 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1.yaml - name: step-02 diff --git a/kubevirt/add-services/.chainsaw-test/permissions.yaml b/kubevirt/add-services/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..fe9aca75d --- /dev/null +++ b/kubevirt/add-services/.chainsaw-test/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:kubevirt + labels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - kubevirt.io + resources: + - virtualmachineinstances + verbs: + - get + - list + - watch diff --git a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml index 606cdaf50..5165633c7 100755 --- a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml @@ -16,6 +16,8 @@ spec: file: chainsaw-step-00-assert-3.yaml - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: ../check-linkerd-authorizationpolicy.yaml - patch: diff --git a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/permissions.yaml b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..1d15da4f3 --- /dev/null +++ b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/permissions.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:linkerd:server + labels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - policy.linkerd.io + resources: + - authorizationpolicies + - servers + - httproutes + verbs: + - get + - list + - watch diff --git a/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-test.yaml b/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-test.yaml index cb6ce527c..5021a7cb9 100755 --- a/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-test.yaml @@ -12,6 +12,8 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: ../require-linkerd-server.yaml - patch: diff --git a/linkerd/require-linkerd-server/.chainsaw-test/permissions.yaml b/linkerd/require-linkerd-server/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..64658abb5 --- /dev/null +++ b/linkerd/require-linkerd-server/.chainsaw-test/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:linkerd:server + labels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - policy.linkerd.io + resources: + - servers + verbs: + - get + - list + - watch diff --git a/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml b/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml index f57fe3e76..836a04ea5 100755 --- a/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml @@ -12,7 +12,7 @@ spec: file: clusterroles.yaml - script: content: | - kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[Binding,\*,\*\]//g' - | sed 's/\[Pod\/binding,\*,\*\]//g' - | sed 's/\[Node\/\*,\*,\*\]//g' - | sed 's/\[Node,\*,\*\]//g' - | kubectl apply -f - + kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[Binding,\*,\*\]//g' | sed 's/\[Pod\/binding,\*,\*\]//g' | sed 's/\[Node\/\*,\*,\*\]//g' | sed 's/\[Node,\*,\*\]//g' | kubectl apply -f - - sleep: duration: 5s - name: step-02 @@ -39,4 +39,4 @@ spec: try: - script: content: | - kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[SelfSubjectAccessReview,\*,\*\]/\[SelfSubjectAccessReview,\*,\*\] \[Binding,\*,\*\] \[Pod\/binding,\*,\*\]/g' - | sed 's/\[APIService,\*,\*\]/\[Node,\*,\*\] \[Node\/\*,\*,\*\] \[APIService,\*,\*\]/g' - | kubectl apply -f - + kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[SelfSubjectAccessReview,\*,\*\]/\[SelfSubjectAccessReview,\*,\*\] \[Binding,\*,\*\] \[Pod\/binding,\*,\*\]/g' | sed 's/\[APIService,\*,\*\]/\[Node,\*,\*\] \[Node\/\*,\*,\*\] \[APIService,\*,\*\]/g' | kubectl apply -f - diff --git a/other/inspect-csr/.chainsaw-test/chainsaw-test.yaml b/other/inspect-csr/.chainsaw-test/chainsaw-test.yaml index b3ff04242..b5098eafd 100755 --- a/other/inspect-csr/.chainsaw-test/chainsaw-test.yaml +++ b/other/inspect-csr/.chainsaw-test/chainsaw-test.yaml @@ -49,6 +49,8 @@ spec: kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER # Delete CSR kubectl delete csr $USERNAME + - apply: + file: permissions.yaml - apply: file: ../inspect-csr.yaml - apply: diff --git a/other/inspect-csr/.chainsaw-test/permissions.yaml b/other/inspect-csr/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..a4a380be6 --- /dev/null +++ b/other/inspect-csr/.chainsaw-test/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:csr + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - 'certificates.k8s.io' + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/other/mutate-pod-binding/.chainsaw-test/chainsaw-test.yaml b/other/mutate-pod-binding/.chainsaw-test/chainsaw-test.yaml index 0a45a7e4b..9da1edee9 100755 --- a/other/mutate-pod-binding/.chainsaw-test/chainsaw-test.yaml +++ b/other/mutate-pod-binding/.chainsaw-test/chainsaw-test.yaml @@ -12,7 +12,7 @@ spec: file: crb.yaml - script: content: | - kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[Binding,\*,\*\]//g' - | sed 's/\[Pod\/binding,\*,\*\]//g' - | sed 's/\[Node\/\*,\*,\*\]//g' - | sed 's/\[Node,\*,\*\]//g' - | kubectl apply -f - + kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[Binding,\*,\*\]//g' | sed 's/\[Pod\/binding,\*,\*\]//g' | sed 's/\[Node\/\*,\*,\*\]//g' | sed 's/\[Node,\*,\*\]//g' | kubectl apply -f - - sleep: duration: 5s - name: step-02 @@ -39,4 +39,4 @@ spec: try: - script: content: | - kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[SelfSubjectAccessReview,\*,\*\]/\[SelfSubjectAccessReview,\*,\*\] \[Binding,\*,\*\] \[Pod\/binding,\*,\*\]/g' - | sed 's/\[APIService,\*,\*\]/\[Node,\*,\*\] \[Node\/\*,\*,\*\] \[APIService,\*,\*\]/g' - | kubectl apply -f - + kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[SelfSubjectAccessReview,\*,\*\]/\[SelfSubjectAccessReview,\*,\*\] \[Binding,\*,\*\] \[Pod\/binding,\*,\*\]/g' | sed 's/\[APIService,\*,\*\]/\[Node,\*,\*\] \[Node\/\*,\*,\*\] \[APIService,\*,\*\]/g' | kubectl apply -f - diff --git a/other/mutate-pod-binding/.chainsaw-test/crb.yaml b/other/mutate-pod-binding/.chainsaw-test/crb.yaml index b1797f6e9..e497436af 100644 --- a/other/mutate-pod-binding/.chainsaw-test/crb.yaml +++ b/other/mutate-pod-binding/.chainsaw-test/crb.yaml @@ -1,15 +1,38 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:background-controller:label-nodes-cri + name: kyverno:nodes:view labels: app.kubernetes.io/component: background-controller app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" rules: - apiGroups: - "" resources: - nodes verbs: - - update \ No newline at end of file + - get + - list + - watch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:nodes:update + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - update diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/chainsaw-test.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/chainsaw-test.yaml index 0295c018e..f34e01f60 100755 --- a/other/prevent-duplicate-vpa/.chainsaw-test/chainsaw-test.yaml +++ b/other/prevent-duplicate-vpa/.chainsaw-test/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: 01 - Create policy and Enforce try: + - apply: + file: permissions.yaml - apply: file: ../prevent-duplicate-vpa.yaml - patch: diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/permissions.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..6b20b3c83 --- /dev/null +++ b/other/prevent-duplicate-vpa/.chainsaw-test/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:vpa + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - autoscaling.k8s.io + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-test.yaml b/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-test.yaml index 58c43c489..f0709b46a 100755 --- a/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-test.yaml @@ -8,6 +8,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: secret.yaml - apply: diff --git a/other/restrict-secrets-by-label/.chainsaw-test/permissions.yaml b/other/restrict-secrets-by-label/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..1150569d8 --- /dev/null +++ b/other/restrict-secrets-by-label/.chainsaw-test/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:view + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/other/sync-secrets/.chainsaw-test/chainsaw-test.yaml b/other/sync-secrets/.chainsaw-test/chainsaw-test.yaml index e4040b03b..abd1f5899 100755 --- a/other/sync-secrets/.chainsaw-test/chainsaw-test.yaml +++ b/other/sync-secrets/.chainsaw-test/chainsaw-test.yaml @@ -8,6 +8,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: ../sync-secrets.yaml - assert: diff --git a/other/sync-secrets/.chainsaw-test/permissions.yaml b/other/sync-secrets/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..20337067e --- /dev/null +++ b/other/sync-secrets/.chainsaw-test/permissions.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:view + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:manage + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - update + - delete \ No newline at end of file From 412727e0d3b3359870cb2e2ae572edb3380829ec Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 9 Aug 2024 18:04:30 +0530 Subject: [PATCH 3/9] use optionals in cel (#1112) Signed-off-by: Chandan-DK Co-authored-by: Jim Bugwadia --- .../application-prevent-default-project.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../artifacthub-pkg.yml | 2 +- .../require-encryption-aws-loadbalancers.yaml | 3 +-- .../artifacthub-pkg.yml | 2 +- .../disallow-empty-ingress-host.yaml | 3 +-- .../require-drop-all/artifacthub-pkg.yml | 2 +- .../require-drop-all/require-drop-all.yaml | 7 ++----- .../require-drop-cap-net-raw/artifacthub-pkg.yml | 2 +- .../require-drop-cap-net-raw.yaml | 7 ++----- .../require-labels/artifacthub-pkg.yml | 2 +- .../require-labels/require-labels.yaml | 3 +-- .../require-ro-rootfs/artifacthub-pkg.yml | 2 +- .../require-ro-rootfs/require-ro-rootfs.yaml | 3 +-- .../artifacthub-pkg.yml | 2 +- .../restrict-image-registries.yaml | 2 +- .../enforce-min-tls-version/artifacthub-pkg.yml | 2 +- .../enforce-min-tls-version.yaml | 3 +-- flux-cel/verify-flux-sources/artifacthub-pkg.yml | 2 +- .../verify-flux-sources/verify-flux-sources.yaml | 4 ++-- .../artifacthub-pkg.yml | 2 +- .../enforce-sidecar-injection-namespace.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../prevent-disabling-injection-pods.yaml | 3 +-- .../artifacthub-pkg.yml | 2 +- .../k10-data-protection-by-label.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../k10-validate-ns-by-preset-label.yaml | 2 +- .../require-kubecost-labels/artifacthub-pkg.yml | 2 +- .../require-kubecost-labels.yaml | 11 +++++------ .../artifacthub-pkg.yml | 2 +- .../prevent-linkerd-pod-injection-override.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../require-linkerd-mesh-injection.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../disallow-ingress-nginx-custom-snippets.yaml | 4 ++-- .../restrict-ingress-paths/artifacthub-pkg.yml | 2 +- .../restrict-ingress-paths.yaml | 5 ++--- .../artifacthub-pkg.yml | 2 +- ...allow-security-context-constraint-anyuid.yaml | 2 +- .../advanced-restrict-image-registries.yaml | 7 +++---- .../artifacthub-pkg.yml | 2 +- .../allowed-annotations/allowed-annotations.yaml | 3 +-- .../allowed-annotations/artifacthub-pkg.yml | 2 +- other-cel/check-env-vars/artifacthub-pkg.yml | 2 +- other-cel/check-env-vars/check-env-vars.yaml | 4 ++-- .../artifacthub-pkg.yml | 2 +- .../deny-commands-in-exec-probe.yaml | 7 ++----- .../disallow-all-secrets/artifacthub-pkg.yml | 2 +- .../disallow-all-secrets.yaml | 14 ++++++-------- .../artifacthub-pkg.yml | 2 +- .../disallow-secrets-from-env-vars.yaml | 4 ++-- .../artifacthub-pkg.yml | 2 +- .../docker-socket-requires-label.yaml | 4 ++-- .../enforce-pod-duration/artifacthub-pkg.yml | 2 +- .../enforce-pod-duration.yaml | 2 +- .../ensure-readonly-hostpath/artifacthub-pkg.yml | 2 +- .../ensure-readonly-hostpath.yaml | 7 +++---- other-cel/forbid-cpu-limits/artifacthub-pkg.yml | 2 +- .../forbid-cpu-limits/forbid-cpu-limits.yaml | 2 +- .../ingress-host-match-tls/artifacthub-pkg.yml | 2 +- .../ingress-host-match-tls.yaml | 4 ++-- .../limit-hostpath-vols/artifacthub-pkg.yml | 2 +- .../limit-hostpath-vols/limit-hostpath-vols.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../memory-requests-equal-limits.yaml | 8 ++------ .../metadata-match-regex/artifacthub-pkg.yml | 2 +- .../metadata-match-regex.yaml | 3 +-- other-cel/pdb-maxunavailable/artifacthub-pkg.yml | 2 +- .../pdb-maxunavailable/pdb-maxunavailable.yaml | 2 +- other-cel/prevent-cr8escape/artifacthub-pkg.yml | 2 +- .../prevent-cr8escape/prevent-cr8escape.yaml | 4 ++-- .../require-annotations/artifacthub-pkg.yml | 2 +- .../require-annotations/require-annotations.yaml | 3 +-- .../artifacthub-pkg.yml | 2 +- .../require-container-port-names.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../require-emptydir-requests-limits.yaml | 7 +++---- .../require-ingress-https/artifacthub-pkg.yml | 2 +- .../require-ingress-https.yaml | 4 +--- .../require-non-root-groups/artifacthub-pkg.yml | 2 +- .../require-non-root-groups.yaml | 14 ++++++-------- .../artifacthub-pkg.yml | 2 +- .../require-pod-priorityclassname.yaml | 2 +- .../require-storageclass/artifacthub-pkg.yml | 2 +- .../require-storageclass.yaml | 4 ++-- .../restrict-annotations/artifacthub-pkg.yml | 2 +- .../restrict-annotations.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../restrict-controlplane-scheduling.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../restrict-deprecated-registry.yaml | 2 +- .../restrict-ingress-classes/artifacthub-pkg.yml | 2 +- .../restrict-ingress-classes.yaml | 4 +--- .../artifacthub-pkg.yml | 2 +- .../restrict-ingress-wildcard.yaml | 2 +- .../restrict-node-affinity/artifacthub-pkg.yml | 2 +- .../restrict-node-affinity.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../restrict-node-label-creation.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../restrict-sa-automount-sa-token.yaml | 2 +- .../restrict-secrets-by-name/artifacthub-pkg.yml | 2 +- .../restrict-secrets-by-name.yaml | 16 ++++++++-------- .../artifacthub-pkg.yml | 2 +- .../restrict-usergroup-fsgroup-id.yaml | 6 +++--- .../artifacthub-pkg.yml | 2 +- .../topologyspreadconstraints-policy.yaml | 3 +-- .../add-psa-namespace-reporting.yaml | 2 +- .../artifacthub-pkg.yml | 2 +- .../artifacthub-pkg.yml | 2 +- .../check-supplemental-groups.yaml | 4 +--- .../artifacthub-pkg.yml | 2 +- .../restrict-adding-capabilities.yaml | 7 ++----- .../require-tekton-bundle/artifacthub-pkg.yml | 2 +- .../require-tekton-bundle.yaml | 4 ++-- 116 files changed, 160 insertions(+), 201 deletions(-) diff --git a/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml b/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml index 49290ca53..7a45796b5 100644 --- a/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml +++ b/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml @@ -28,6 +28,6 @@ spec: validate: cel: expressions: - - expression: "has(object.spec.project) && object.spec.project != 'default'" + - expression: "object.spec.?project.orValue('') != 'default'" message: "The default project may not be used in an Application." diff --git a/argo-cel/application-prevent-default-project/artifacthub-pkg.yml b/argo-cel/application-prevent-default-project/artifacthub-pkg.yml index 0c10ce14b..8c9ed67c6 100644 --- a/argo-cel/application-prevent-default-project/artifacthub-pkg.yml +++ b/argo-cel/application-prevent-default-project/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Argo in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Application" -digest: aeb2bc00375b7c44bb36ca7a3cd2f5f80ed17548abf98529d4617803be71196d +digest: 30a66468036d5a7d5f63e5581d7a4dbb33f6d93ecdfca566f9a465b11d441acb createdAt: "2024-04-30T16:03:57Z" diff --git a/aws-cel/require-encryption-aws-loadbalancers/artifacthub-pkg.yml b/aws-cel/require-encryption-aws-loadbalancers/artifacthub-pkg.yml index 5b4a27745..234dd6bf7 100644 --- a/aws-cel/require-encryption-aws-loadbalancers/artifacthub-pkg.yml +++ b/aws-cel/require-encryption-aws-loadbalancers/artifacthub-pkg.yml @@ -20,6 +20,6 @@ annotations: kyverno/category: "AWS, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Service" -digest: 0a2c4fcb1a4aa5900aef0abba83625024def643c47ccfe1c6e0d1314c484f6f5 +digest: e2320be39a69521f5420e33890a87b1195a3658022e1e23909387e9dc0937c2e createdAt: "2024-05-11T16:01:13Z" diff --git a/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml b/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml index 7c94d956c..20c71ab38 100644 --- a/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml +++ b/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml @@ -34,7 +34,6 @@ spec: cel: expressions: - expression: >- - has(object.metadata.annotations) && - 'service.beta.kubernetes.io/aws-load-balancer-ssl-cert' in object.metadata.annotations && object.metadata.annotations['service.beta.kubernetes.io/aws-load-balancer-ssl-cert'] != '' + object.metadata.?annotations[?'service.beta.kubernetes.io/aws-load-balancer-ssl-cert'].orValue('') != '' message: "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert." diff --git a/best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml b/best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml index 0db591b73..dd36b796d 100644 --- a/best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml +++ b/best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: 0ffe2735a10b721569cf7139d0d7d51dbc9327beae68e50e4f54f560804548e9 +digest: e07447adca26bd41cf44f7cced9f50fef4d6293d142a5092d0a95f4473747043 createdAt: "2024-03-09T14:19:51Z" diff --git a/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml b/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml index c8cf73536..62df5473d 100644 --- a/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml +++ b/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml @@ -30,7 +30,6 @@ spec: cel: expressions: - expression: >- - !has(object.spec.rules) || - object.spec.rules.all(rule, has(rule.host) && has(rule.http)) + object.spec.?rules.orValue([]).all(rule, has(rule.host) && has(rule.http)) message: "The Ingress host name must be defined, not empty." diff --git a/best-practices-cel/require-drop-all/artifacthub-pkg.yml b/best-practices-cel/require-drop-all/artifacthub-pkg.yml index 8d7c64e35..22f58a86a 100644 --- a/best-practices-cel/require-drop-all/artifacthub-pkg.yml +++ b/best-practices-cel/require-drop-all/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: c3d8959bdc68460e21ff5495994d0bb1a3aa7cb7a5b31740af33638b2dad466c +digest: e30e0e6e98ad92017d641eddc650335cb688873b2c14c666fda925f3e809ae40 createdAt: "2024-03-10T05:05:42Z" diff --git a/best-practices-cel/require-drop-all/require-drop-all.yaml b/best-practices-cel/require-drop-all/require-drop-all.yaml index 70b9eca5f..c46cf43e0 100644 --- a/best-practices-cel/require-drop-all/require-drop-all.yaml +++ b/best-practices-cel/require-drop-all/require-drop-all.yaml @@ -32,13 +32,10 @@ spec: cel: variables: - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" expressions: - expression: >- variables.allContainers.all(container, - has(container.securityContext) && - has(container.securityContext.capabilities) && - has(container.securityContext.capabilities.drop) && - container.securityContext.capabilities.drop.exists(capability, capability.upperAscii() == 'ALL')) + container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'ALL')) message: "Containers must drop `ALL` capabilities." diff --git a/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml index 4e5d6742d..d726f54fe 100644 --- a/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml +++ b/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: ef4e56b25b29423934e0e21cdea2d6c4e0ae3e67d84a1456f52b3d66fe9fa25a +digest: 28cac97e2c441528f12158cc0c6d3c8c07067537831a88d5445a2128b42746b4 createdAt: "2024-03-15T03:05:47Z" diff --git a/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml index 1064b6335..f6d7440aa 100644 --- a/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml +++ b/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml @@ -33,14 +33,11 @@ spec: cel: variables: - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" expressions: - expression: >- variables.allContainers.all(container, - has(container.securityContext) && - has(container.securityContext.capabilities) && - has(container.securityContext.capabilities.drop) && - container.securityContext.capabilities.drop.exists(capability, capability.upperAscii() == 'CAP_NET_RAW')) + container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'CAP_NET_RAW')) message: >- Containers must drop the `CAP_NET_RAW` capability. diff --git a/best-practices-cel/require-labels/artifacthub-pkg.yml b/best-practices-cel/require-labels/artifacthub-pkg.yml index 321438b73..7baa78674 100644 --- a/best-practices-cel/require-labels/artifacthub-pkg.yml +++ b/best-practices-cel/require-labels/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Label" -digest: cdcd97f2977e45e753975a75184c12d37e297a615f50322be925e64885ffa5e0 +digest: 90e1ceb1c27f70169fcd448cb48df4c7694d8252e060da24c7b2e9bb16a4fc88 createdAt: "2024-03-06T19:31:45Z" diff --git a/best-practices-cel/require-labels/require-labels.yaml b/best-practices-cel/require-labels/require-labels.yaml index c43d15657..12a2062e6 100644 --- a/best-practices-cel/require-labels/require-labels.yaml +++ b/best-practices-cel/require-labels/require-labels.yaml @@ -31,7 +31,6 @@ spec: cel: expressions: - expression: >- - has(object.metadata.labels) && - 'app.kubernetes.io/name' in object.metadata.labels && object.metadata.labels['app.kubernetes.io/name'] != "" + object.metadata.?labels[?'app.kubernetes.io/name'].orValue('') != "" message: "The label `app.kubernetes.io/name` is required." diff --git a/best-practices-cel/require-ro-rootfs/artifacthub-pkg.yml b/best-practices-cel/require-ro-rootfs/artifacthub-pkg.yml index 87f6545b4..187f4bc4d 100644 --- a/best-practices-cel/require-ro-rootfs/artifacthub-pkg.yml +++ b/best-practices-cel/require-ro-rootfs/artifacthub-pkg.yml @@ -20,6 +20,6 @@ annotations: kyverno/category: "Best Practices, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 08e28ef463ea200092f19e279fa3da071b276315f555b579786c564bbb8718c5 +digest: fe244b770ce2bc266f6af712404255b2968f26448614498fdf2f103ae82a1343 createdAt: "2024-03-07T12:35:00Z" diff --git a/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml b/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml index 84a042438..fcb7473d5 100644 --- a/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml +++ b/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml @@ -33,7 +33,6 @@ spec: expressions: - expression: >- object.spec.containers.all(container, - has(container.securityContext) && - container.securityContext.readOnlyRootFilesystem == true) + container.?securityContext.?readOnlyRootFilesystem.orValue(false) == true) message: "Root filesystem must be read-only." diff --git a/best-practices-cel/restrict-image-registries/artifacthub-pkg.yml b/best-practices-cel/restrict-image-registries/artifacthub-pkg.yml index fc35e4940..c7dce3b39 100644 --- a/best-practices-cel/restrict-image-registries/artifacthub-pkg.yml +++ b/best-practices-cel/restrict-image-registries/artifacthub-pkg.yml @@ -20,6 +20,6 @@ annotations: kyverno/category: "Best Practices, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: cac6e95f5ac6f7d7235349ac935745672c2112a0a5400e8fb1f59c9750850ad0 +digest: 8fbe80e4d4b26e2a2acc2160d52bf5b88c4f137567ea569e086439fc1fe1bd49 createdAt: "2024-03-07T13:35:11Z" diff --git a/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml b/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml index 6d55959fd..91db27a80 100644 --- a/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml +++ b/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml @@ -32,7 +32,7 @@ spec: cel: variables: - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" expressions: - expression: "variables.allContainers.all(container, container.image.startsWith('eu.foo.io/') || container.image.startsWith('bar.io/'))" message: "Unknown image registry." diff --git a/consul-cel/enforce-min-tls-version/artifacthub-pkg.yml b/consul-cel/enforce-min-tls-version/artifacthub-pkg.yml index 29cee5d57..a92a75302 100644 --- a/consul-cel/enforce-min-tls-version/artifacthub-pkg.yml +++ b/consul-cel/enforce-min-tls-version/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Consul in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Mesh" -digest: 076a14dd5d7a4b4b69d9b7c1c53deab6e8b2c0ce0ed570f3cf07b661fca92aef +digest: ef025b5a358ed684ffe008b5a251e743289f5e2f28e72e49df10c895b1539260 createdAt: "2024-05-02T17:47:54Z" diff --git a/consul-cel/enforce-min-tls-version/enforce-min-tls-version.yaml b/consul-cel/enforce-min-tls-version/enforce-min-tls-version.yaml index e7d340b3d..97fe0c258 100644 --- a/consul-cel/enforce-min-tls-version/enforce-min-tls-version.yaml +++ b/consul-cel/enforce-min-tls-version/enforce-min-tls-version.yaml @@ -29,7 +29,6 @@ spec: cel: expressions: - expression: >- - has(object.spec) && has(object.spec.tls) && has(object.spec.tls.incoming) && - has(object.spec.tls.incoming.tlsMinVersion) && object.spec.tls.incoming.tlsMinVersion == 'TLSv1_2' + object.?spec.?tls.?incoming.?tlsMinVersion.orValue('') == 'TLSv1_2' message: The minimum version of TLS is TLS v1_2 diff --git a/flux-cel/verify-flux-sources/artifacthub-pkg.yml b/flux-cel/verify-flux-sources/artifacthub-pkg.yml index 31c2fedbe..901eff1ec 100644 --- a/flux-cel/verify-flux-sources/artifacthub-pkg.yml +++ b/flux-cel/verify-flux-sources/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Flux in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "GitRepository, Bucket, HelmRepository, ImageRepository" -digest: bf6f3413334accaa083d0b203909b82f74b0131e862799124b940afd86e4372d +digest: 0199445c867ee1e79d766a18fcd11b14b5107e7c2c541645f6ceea8df4e34dac createdAt: "2024-05-11T15:02:04Z" diff --git a/flux-cel/verify-flux-sources/verify-flux-sources.yaml b/flux-cel/verify-flux-sources/verify-flux-sources.yaml index 7c15ed2a8..5344211b6 100644 --- a/flux-cel/verify-flux-sources/verify-flux-sources.yaml +++ b/flux-cel/verify-flux-sources/verify-flux-sources.yaml @@ -56,7 +56,7 @@ spec: validate: cel: expressions: - - expression: "has(object.spec.endpoint) && object.spec.endpoint.endsWith('.myorg.com')" + - expression: "object.spec.?endpoint.orValue('').endsWith('.myorg.com')" message: ".spec.endpoint must reference an address within the myorg organization." - name: flux-helm-repositories match: @@ -94,6 +94,6 @@ spec: validate: cel: expressions: - - expression: "has(object.spec.image) && object.spec.image.startsWith('ghcr.io/myorg/')" + - expression: "object.spec.?image.orValue('').startsWith('ghcr.io/myorg/')" message: ".spec.image must be from an image repository within the myorg organization." diff --git a/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml b/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml index 177e3d150..aa5b2f5f2 100644 --- a/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml +++ b/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Istio in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace" -digest: 123feb2a8d1b2743e33b1f91ddf7291c47eedcf2c24ae537a1d3afe6c503338d +digest: 9738fe6b1278148191239c380c074c197841a4926c7ffc1e23cd9a2b22f1175f createdAt: "2024-05-12T04:38:32Z" diff --git a/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml b/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml index 5a2c91d80..abbb3a4a3 100644 --- a/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml +++ b/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml @@ -29,6 +29,6 @@ spec: validate: cel: expressions: - - expression: "has(object.metadata.labels) && 'istio-injection' in object.metadata.labels && object.metadata.labels['istio-injection'] == 'enabled'" + - expression: "object.metadata.?labels[?'istio-injection'].orValue('') == 'enabled'" message: "All new Namespaces must have Istio sidecar injection enabled." diff --git a/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml b/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml index 36ec09a25..97787ae11 100644 --- a/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml +++ b/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Istio in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 5de03c078273ce913a6ebf9064a85be4255b82e36f74bda822984e261363fe8b +digest: 97408c8377b12760f93ab481284a80e6ac7b78f3d04bc89bb44ab55e32054f5c createdAt: "2024-05-12T04:48:58Z" diff --git a/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml b/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml index 6662e5151..816434746 100644 --- a/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml +++ b/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml @@ -32,7 +32,6 @@ spec: cel: expressions: - expression: >- - !has(object.metadata.annotations) || !('sidecar.istio.io/inject' in object.metadata.annotations) || - object.metadata.annotations['sidecar.istio.io/inject'] != 'false' + object.metadata.?annotations[?'sidecar.istio.io/inject'].orValue('') != 'false' message: "Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false." diff --git a/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml b/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml index 2ca7fa978..b6ef9297e 100644 --- a/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml +++ b/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Kasten K10 by Veeam in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Deployment, StatefulSet" -digest: e3a088a52aac74e16f9b2776df78891344edd6dc03ee6456dc71d71c34519325 +digest: 8717e4f433a73aa59f79c557f17b75d8d7b5ac22839b4993975bba9cf8fb551b createdAt: "2024-05-12T07:05:48Z" diff --git a/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml b/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml index 58270490c..57294f6f2 100644 --- a/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml +++ b/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml @@ -31,6 +31,6 @@ spec: validate: cel: expressions: - - expression: "has(object.metadata.labels) && has(object.metadata.labels.dataprotection) && object.metadata.labels.dataprotection.startsWith('k10-')" + - expression: "object.metadata.?labels.?dataprotection.orValue('').startsWith('k10-')" message: "Deployments and StatefulSets that specify 'dataprotection' label must have a valid k10-?* name (use labels: dataprotection: k10-)" diff --git a/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml b/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml index c1ec63ef0..a09f2fe53 100644 --- a/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml +++ b/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Kasten K10 by Veeam in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace" -digest: e58ab4c2018542a6acd5e97446b09cf04cec26425b9a29f0207c518310c449f3 +digest: c277cd02118d9e63dc9e7b842ac27f261c1cd48a3d79a67660e8742d06af62f1 createdAt: "2024-05-12T07:09:08Z" diff --git a/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml b/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml index 4668e742a..e509b59f6 100644 --- a/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml +++ b/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml @@ -32,7 +32,7 @@ spec: validate: cel: expressions: - - expression: "has(object.metadata.labels) && has(object.metadata.labels.dataprotection) && object.metadata.labels.dataprotection in ['gold', 'silver', 'bronze', 'none']" + - expression: "object.metadata.?labels.?dataprotection.orValue('') in ['gold', 'silver', 'bronze', 'none']" message: >- Namespaces must specify a "dataprotection" label with a value corresponding to a Kasten K10 SLA: diff --git a/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml b/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml index bfae83d11..025d7822c 100644 --- a/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml +++ b/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Kubecost in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Label" -digest: e7dc12ab8d4fa467c23bc117db5c9e33e5e0d804c597ee0d88fb9f55f11ab535 +digest: 5b50102fc3a29abc915d2a81baee4335a505b3dc749057a310197b0442409a88 createdAt: "2024-05-12T06:59:59Z" diff --git a/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml b/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml index 32ca0dccb..02cb6a58c 100644 --- a/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml +++ b/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml @@ -33,11 +33,10 @@ spec: cel: expressions: - expression: >- - has(object.metadata.labels) && - has(object.metadata.labels.owner) && object.metadata.labels.owner != '' && - has(object.metadata.labels.team) && object.metadata.labels.team != '' && - has(object.metadata.labels.department) && object.metadata.labels.department != '' && - has(object.metadata.labels.app) && object.metadata.labels.app != '' && - has(object.metadata.labels.env) && object.metadata.labels.env != '' + object.metadata.?labels.?owner.orValue('') != '' && + object.metadata.?labels.?team.orValue('') != '' && + object.metadata.?labels.?department.orValue('') != '' && + object.metadata.?labels.?app.orValue('') != '' && + object.metadata.?labels.?env.orValue('') != '' message: "The Kubecost labels `owner`, `team`, `department`, `app`, and `env` are all required for Pods." diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml b/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml index 41668ea02..53b3f6541 100644 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Linkerd in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 795a7d5ae06f9720bdbcc00ced965d1f7a28540c965628a47abc5621fb8d0033 +digest: 5b12ec5eb44fb90ffd0656f835ecb3ed7a119e6304230929eea4cbd5d222d4a1 createdAt: "2024-05-21T15:39:18Z" diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml index cbed7f953..ed989bad4 100644 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml +++ b/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml @@ -30,6 +30,6 @@ spec: validate: cel: expressions: - - expression: "!has(object.metadata.annotations) || !('linkerd.io/inject' in object.metadata.annotations) || object.metadata.annotations['linkerd.io/inject'] != 'disabled'" + - expression: "object.metadata.?annotations[?'linkerd.io/inject'].orValue('') != 'disabled'" message: "Pods may not disable sidecar injection." diff --git a/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml b/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml index 647ab852c..063aad494 100644 --- a/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml +++ b/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Linkerd in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace, Annotation" -digest: 54785b725fde31418dffca17c8b9eb619c64db8351743d370b5f628e5235fd93 +digest: 35eeae221b613fe7c3ddff2006d6f38e43c2ec6300ec89e7c44ac53ed93e0b62 createdAt: "2024-05-21T16:06:15Z" diff --git a/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml b/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml index d05c38ec6..5fa23a47c 100644 --- a/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml +++ b/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml @@ -29,6 +29,6 @@ spec: validate: cel: expressions: - - expression: "has(object.metadata.annotations) && 'linkerd.io/inject' in object.metadata.annotations && object.metadata.annotations['linkerd.io/inject'] == 'enabled'" + - expression: "object.metadata.?annotations[?'linkerd.io/inject'].orValue('') == 'enabled'" message: "All Namespaces must set the annotation `linkerd.io/inject` to `enabled`." diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml index 1aa414fe7..275f91434 100644 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml @@ -20,5 +20,5 @@ annotations: kyverno/category: "Security, NGINX Ingress in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "ConfigMap, Ingress" -digest: aaf1d6d140eb40ced231f9b1c1e58c76eb89c1974def85df5f0152b72b8d398b +digest: 461b5ea917b380efcf272d0ac6ab2d8f4ceaa6d8c3b0b71efad5a7b23d10ae99 createdAt: "2024-05-21T16:14:12Z" diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml index e7a098251..b8bf7d365 100644 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml +++ b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml @@ -30,7 +30,7 @@ spec: validate: cel: expressions: - - expression: "!has(object.data) || !('allow-snippet-annotations' in object.data) || object.data['allow-snippet-annotations'] == 'false'" + - expression: "object.?data[?'allow-snippet-annotations'].orValue('false') == 'false'" message: "ingress-nginx allow-snippet-annotations must be set to false" - name: check-ingress-annotations match: @@ -44,6 +44,6 @@ spec: validate: cel: expressions: - - expression: "!has(object.metadata.annotations) || !object.metadata.annotations.exists(annotation, annotation.endsWith('-snippet'))" + - expression: "!object.metadata.?annotations.orValue([]).exists(annotation, annotation.endsWith('-snippet'))" message: "ingress-nginx custom snippets are not allowed" diff --git a/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml b/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml index 6dc7c651c..29e399bc6 100644 --- a/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml +++ b/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml @@ -20,5 +20,5 @@ annotations: kyverno/category: "Security, NGINX Ingress in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: 1c95fe0afc73a2e5e30376d7594d98b4e58cfd21378e3ea10035742eb960220f +digest: 27e33a96f483688a088cd64017dd8c69ab2677e53f7a66b95a804c897f104755 createdAt: "2024-05-22T07:13:08Z" diff --git a/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml b/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml index efabf6062..f65692e8f 100644 --- a/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml +++ b/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml @@ -30,9 +30,8 @@ spec: cel: expressions: - expression: >- - !has(object.spec.rules) || - object.spec.rules.all(rule, !has(rule.http) || !has(rule.http.paths) || - rule.http.paths.all(p, + object.spec.?rules.orValue([]).all(rule, + rule.?http.?paths.orValue([]).all(p, !p.path.contains('/etc') && !p.path.contains('/var/run/secrets') && !p.path.contains('/root') && !p.path.contains('/var/run/kubernetes/serviceaccount') && !p.path.contains('/etc/kubernetes/admin.conf'))) diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml b/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml index 69839fe57..92fb23206 100644 --- a/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml +++ b/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Security in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Role,ClusterRole,RBAC" -digest: a12e5cbb7ee88722774bf06d5c086804b4e3151811088be926470b12b8920cf0 +digest: 13d430a48c1a18ee97f2e86ad48f5e97f9a188ea3551c6884ff9ee8f1f81e2a6 createdAt: "2024-05-22T09:53:47Z" diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml index d37d4c72d..fe4b572db 100644 --- a/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml +++ b/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml @@ -29,7 +29,7 @@ spec: validate: cel: expressions: - - expression: "!has(object.rules) || !object.rules.exists(rule, 'anyuid' in rule.resourceNames && ('use' in rule.verbs || '*' in rule.verbs))" + - expression: "!object.?rules.orValue([]).exists(rule, 'anyuid' in rule.resourceNames && ('use' in rule.verbs || '*' in rule.verbs))" message: >- Use of the SecurityContextConstraint (SCC) anyuid is not allowed - name: check-security-context-roleref diff --git a/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml b/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml index d0471c492..28cebce1a 100644 --- a/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml +++ b/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml @@ -41,13 +41,12 @@ spec: parameterNotFoundAction: Deny variables: - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - name: nsregistries expression: >- - (has(namespaceObject.metadata.annotations) && 'corp.com/allowed-registries' in namespaceObject.metadata.annotations) ? - namespaceObject.metadata.annotations['corp.com/allowed-registries'] : ' ' + namespaceObject.metadata.?annotations[?'corp.com/allowed-registries'].orValue(' ') - name: clusterregistries - expression: "'registries' in params.data ? params.data['registries'] : ' '" + expression: "params.data[?'registries'].orValue(' ')" expressions: - expression: "variables.allContainers.all(container, container.image.startsWith(variables.nsregistries) || container.image.startsWith(variables.clusterregistries))" message: This Pod names an image that is not from an approved registry. diff --git a/other-cel/advanced-restrict-image-registries/artifacthub-pkg.yml b/other-cel/advanced-restrict-image-registries/artifacthub-pkg.yml index edb0ed41a..991b00cee 100644 --- a/other-cel/advanced-restrict-image-registries/artifacthub-pkg.yml +++ b/other-cel/advanced-restrict-image-registries/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: ada2e1e0dd2db1d27d973c07375812e415fb1592c9d1ea26a89850c090520ce4 +digest: affd33e654245f8e62ad872c2ce58b60776ab9b472123c19c6524c1790be414b createdAt: "2024-04-21T11:03:06Z" diff --git a/other-cel/allowed-annotations/allowed-annotations.yaml b/other-cel/allowed-annotations/allowed-annotations.yaml index cafedc945..2e0a7cc42 100644 --- a/other-cel/allowed-annotations/allowed-annotations.yaml +++ b/other-cel/allowed-annotations/allowed-annotations.yaml @@ -32,7 +32,6 @@ spec: cel: expressions: - expression: >- - !has(object.metadata.annotations) || - object.metadata.annotations.all(annotation, !annotation.contains('fluxcd.io/') || annotation in ['fluxcd.io/cow', 'fluxcd.io/dog']) + object.metadata.?annotations.orValue([]).all(annotation, !annotation.contains('fluxcd.io/') || annotation in ['fluxcd.io/cow', 'fluxcd.io/dog']) message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. diff --git a/other-cel/allowed-annotations/artifacthub-pkg.yml b/other-cel/allowed-annotations/artifacthub-pkg.yml index e5e260c29..07a5fa847 100644 --- a/other-cel/allowed-annotations/artifacthub-pkg.yml +++ b/other-cel/allowed-annotations/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Annotation" -digest: e18bedf7d0b6b1b6ac5d723071d78a1594c325620a1ebd28dd8798414da786b2 +digest: 5853c229a0d206b7b5faa55b55f6b871a3afb0da597d3dcd8c7ea88cf20d83d2 createdAt: "2024-03-17T14:04:46Z" diff --git a/other-cel/check-env-vars/artifacthub-pkg.yml b/other-cel/check-env-vars/artifacthub-pkg.yml index c38d0ebdb..1e0f35b2b 100644 --- a/other-cel/check-env-vars/artifacthub-pkg.yml +++ b/other-cel/check-env-vars/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 4ed73ec1d10a3333d9fd87665880a4645e031de173c08dbda63eecfba2580dbe +digest: f44af22c70df6dfca262ce23ad5812d1a65d38073a86f47b8ed3a1d625dcc915 createdAt: "2024-03-21T13:31:53Z" diff --git a/other-cel/check-env-vars/check-env-vars.yaml b/other-cel/check-env-vars/check-env-vars.yaml index 36f980652..488d01326 100644 --- a/other-cel/check-env-vars/check-env-vars.yaml +++ b/other-cel/check-env-vars/check-env-vars.yaml @@ -32,7 +32,7 @@ spec: cel: expressions: - expression: >- - !object.spec.containers.exists(container, has(container.env) && - container.env.exists(e, e.name == 'DISABLE_OPA' && e.value == 'true')) + !object.spec.containers.exists(container, + container.?env.orValue([]).exists(e, e.name == 'DISABLE_OPA' && e.value == 'true')) message: "DISABLE_OPA must not be set to true." diff --git a/other-cel/deny-commands-in-exec-probe/artifacthub-pkg.yml b/other-cel/deny-commands-in-exec-probe/artifacthub-pkg.yml index 2edc8226f..e84eccb9e 100644 --- a/other-cel/deny-commands-in-exec-probe/artifacthub-pkg.yml +++ b/other-cel/deny-commands-in-exec-probe/artifacthub-pkg.yml @@ -20,6 +20,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: af3cef475e79cc67105ba3a2be80f0692ea3744f14a9ccd3917d8de8d251e5d0 +digest: b6ed61532ebe13187f90525265d4c4b54875dab4300a54fed6f5cc7e826d470d createdAt: "2024-04-25T18:27:10Z" diff --git a/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml b/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml index a9381ee1f..45c6e65a8 100644 --- a/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml +++ b/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml @@ -30,16 +30,13 @@ spec: celPreconditions: - name: "check-liveness-probes-commands-exist" expression: >- - object.spec.containers.exists(container, - has(container.livenessProbe) && has(container.livenessProbe.exec) && - size(container.livenessProbe.exec.command) > 0) + object.spec.containers.exists(container, size(container.?livenessProbe.?exec.?command.orValue([])) > 0) validate: cel: expressions: - expression: >- object.spec.containers.all(container, - !has(container.livenessProbe) || !has(container.livenessProbe.exec) || - !container.livenessProbe.exec.command.exists(command, + !container.?livenessProbe.?exec.?command.orValue([]).exists(command, command.matches('\\bjcmd\\b') || command.matches('\\bps\\b') || command.matches('\\bls\\b'))) message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes. diff --git a/other-cel/disallow-all-secrets/artifacthub-pkg.yml b/other-cel/disallow-all-secrets/artifacthub-pkg.yml index 8b637d856..02f3f2409 100644 --- a/other-cel/disallow-all-secrets/artifacthub-pkg.yml +++ b/other-cel/disallow-all-secrets/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Secret" -digest: 56e5facdefabb17337fca54838bb54025c60d69660091f213ad366ef94f6fd57 +digest: 31ee726bea089a0ea870feb4859b497d51cd976e316571d4b9af08fe81a74785 createdAt: "2024-03-23T11:14:09Z" diff --git a/other-cel/disallow-all-secrets/disallow-all-secrets.yaml b/other-cel/disallow-all-secrets/disallow-all-secrets.yaml index b868747ef..c8a3888f0 100644 --- a/other-cel/disallow-all-secrets/disallow-all-secrets.yaml +++ b/other-cel/disallow-all-secrets/disallow-all-secrets.yaml @@ -32,22 +32,20 @@ spec: variables: - name: allContainers expression: >- - object.spec.containers + - (has(object.spec.initContainers) ? object.spec.initContainers : []) + - (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []) + object.spec.containers + + object.spec.?initContainers.orValue([]) + + object.spec.?ephemeralContainers.orValue([]) expressions: - expression: >- variables.allContainers.all(container, - !has(container.env) || - container.env.all(env, !has(env.valueFrom) || !has(env.valueFrom.secretKeyRef))) + container.?env.orValue([]).all(env, env.?valueFrom.?secretKeyRef.orValue(true))) message: "No Secrets from env." - expression: >- variables.allContainers.all(container, - !has(container.envFrom) || - container.envFrom.all(envFrom, !has(envFrom.secretRef))) + container.?envFrom.orValue([]).all(envFrom, !has(envFrom.secretRef))) message: "No Secrets from envFrom." - - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.secret))" + - expression: "object.spec.?volumes.orValue([]).all(volume, !has(volume.secret))" message: "No Secrets from volumes." diff --git a/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml b/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml index b2bc353df..dc6ebd868 100644 --- a/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml +++ b/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml @@ -20,6 +20,6 @@ annotations: kyverno/category: "Sample, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Secret" -digest: 71ff57f46c814a0971e9fb70f065ca0ab2a4308d9f5d56b1a9f8032eef83782b +digest: 06a74b9ecec7d3c4bc3adef91fdb8ba33125f3b81c9432bc819505523de24746 createdAt: "2024-03-24T16:54:45Z" diff --git a/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml b/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml index fc36431f2..cd0786c0e 100644 --- a/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml +++ b/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml @@ -29,8 +29,8 @@ spec: validate: cel: expressions: - - expression: "object.spec.containers.all(container, !has(container.env) || container.env.all(env, !has(env.valueFrom) || !has(env.valueFrom.secretKeyRef)))" + - expression: "object.spec.containers.all(container, container.?env.orValue([]).all(env, env.?valueFrom.?secretKeyRef.orValue(true)))" message: "Secrets must be mounted as volumes, not as environment variables." - - expression: "object.spec.containers.all(container, !has(container.envFrom) || container.envFrom.all(envFrom, !has(envFrom.secretRef)))" + - expression: "object.spec.containers.all(container, container.?envFrom.orValue([]).all(envFrom, !has(envFrom.secretRef)))" message: "Secrets must not come from envFrom statements." diff --git a/other-cel/docker-socket-requires-label/artifacthub-pkg.yml b/other-cel/docker-socket-requires-label/artifacthub-pkg.yml index 1579a8d2c..264884a07 100644 --- a/other-cel/docker-socket-requires-label/artifacthub-pkg.yml +++ b/other-cel/docker-socket-requires-label/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: b7f8b5251d1670da5514515e7ae4ffde77d8c9cb0d28c0dcaee61ba13adfd035 +digest: 6a042d293db3309de274b97414451ed620b19a9972d8a53b001f34b4daa67dff createdAt: "2024-03-27T12:13:52Z" diff --git a/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml b/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml index 26f26975e..6fb291390 100644 --- a/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml +++ b/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml @@ -31,9 +31,9 @@ spec: cel: variables: - name: hasDockerSocket - expression: "has(object.spec.volumes) && object.spec.volumes.exists(volume, has(volume.hostPath) && volume.hostPath.path == '/var/run/docker.sock')" + expression: "object.spec.?volumes.orValue([]).exists(volume, volume.?hostPath.?path.orValue('') == '/var/run/docker.sock')" - name: isAllowDockerLabelTrue - expression: "has(object.metadata.labels) && 'allow-docker' in object.metadata.labels && object.metadata.labels['allow-docker'] == 'true'" + expression: "object.metadata.?labels[?'allow-docker'].orValue('false') == 'true'" expressions: - expression: "!variables.hasDockerSocket || variables.isAllowDockerLabelTrue" message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`." diff --git a/other-cel/enforce-pod-duration/artifacthub-pkg.yml b/other-cel/enforce-pod-duration/artifacthub-pkg.yml index 8505baaf9..e54931b4f 100644 --- a/other-cel/enforce-pod-duration/artifacthub-pkg.yml +++ b/other-cel/enforce-pod-duration/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 174a456e5d4afd8c8baa9c0c3bdb7da0e09934673f0544d575e5aad6aab5e644 +digest: 9cdc75a57a1cf01caa6895123ccfd94ad42ffb7deb46614d6ee55a35a8c4d519 createdAt: "2024-03-30T18:18:11Z" diff --git a/other-cel/enforce-pod-duration/enforce-pod-duration.yaml b/other-cel/enforce-pod-duration/enforce-pod-duration.yaml index 33a01dc2b..66321c5fa 100644 --- a/other-cel/enforce-pod-duration/enforce-pod-duration.yaml +++ b/other-cel/enforce-pod-duration/enforce-pod-duration.yaml @@ -29,7 +29,7 @@ spec: cel: variables: - name: hasLifetimeAnnotation - expression: "has(object.metadata.annotations) && 'pod.kubernetes.io/lifetime' in object.metadata.annotations" + expression: "object.metadata.?annotations[?'pod.kubernetes.io/lifetime'].hasValue()" - name: lifetimeAnnotationValue expression: "variables.hasLifetimeAnnotation ? object.metadata.annotations['pod.kubernetes.io/lifetime'] : '0s'" expressions: diff --git a/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml index b94f2dc6b..aa5a97e0b 100644 --- a/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml +++ b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 203506a9391a1d4bee3ed42209ab7e964606aee881db2cd93290bd075c98840b +digest: c0acb4aa284ff94ed26e343502b35bc959bbe45d2d8f3d7b4fbb6780e0e27828 createdAt: "2024-04-05T17:39:16Z" diff --git a/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml b/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml index acfd4db5f..9b386141a 100644 --- a/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml +++ b/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml @@ -34,13 +34,12 @@ spec: cel: variables: - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - name: hostPathVolumes - expression: "has(object.spec.volumes) ? object.spec.volumes.filter(volume, has(volume.hostPath)) : []" + expression: "object.spec.?volumes.orValue([]).filter(volume, has(volume.hostPath))" expressions: - expression: >- variables.hostPathVolumes.all(hostPath, variables.allContainers.all(container, - !has(container.volumeMounts) || - container.volumeMounts.all(volume, (hostPath.name != volume.name) || has(volume.readOnly) && volume.readOnly == true))) + container.volumeMounts.orValue([]).all(volume, (hostPath.name != volume.name) || volume.?readOnly.orValue(false) == true))) message: All hostPath volumes must be mounted as readOnly. diff --git a/other-cel/forbid-cpu-limits/artifacthub-pkg.yml b/other-cel/forbid-cpu-limits/artifacthub-pkg.yml index f116754ea..956bbad74 100644 --- a/other-cel/forbid-cpu-limits/artifacthub-pkg.yml +++ b/other-cel/forbid-cpu-limits/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 8d8febae3e8acfab78c2ccf8b96d086f7086ea156b0a0ac36611db1c8958c357 +digest: a3034659b216823d9f4c30bab521e3148817f7d21236e6ee755c94eef2b792a5 createdAt: "2024-04-01T15:35:47Z" diff --git a/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml b/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml index 75a791c85..8364ab7f4 100644 --- a/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml +++ b/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml @@ -30,6 +30,6 @@ spec: expressions: - expression: >- !object.spec.containers.exists(container, - has(container.resources) && has(container.resources.limits) && has(container.resources.limits.cpu)) + container.?resources.?limits.?cpu.hasValue()) message: Containers may not define CPU limits. diff --git a/other-cel/ingress-host-match-tls/artifacthub-pkg.yml b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml index 541c86246..7f683b2ce 100644 --- a/other-cel/ingress-host-match-tls/artifacthub-pkg.yml +++ b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: 4de00322c258919b797101a18afa3fa262ce78b52132f2fd903cfea8f60d1f1e +digest: 026f0c19f0c775abfc9887a91f1b323c327f73dfe68a360ef566ee208fec55bb createdAt: "2024-04-06T17:22:38Z" diff --git a/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml b/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml index 6b2f7f551..b059e8333 100644 --- a/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml +++ b/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml @@ -33,11 +33,11 @@ spec: cel: variables: - name: tls - expression: "has(object.spec.tls) ? object.spec.tls : []" + expression: "object.spec.?tls.orValue([])" expressions: - expression: >- object.spec.rules.all(rule, !has(rule.host) || - variables.tls.exists(tls, has(tls.hosts) && tls.hosts.exists(tlsHost, tlsHost == rule.host))) + variables.tls.exists(tls, tls.?hosts.orValue([]).exists(tlsHost, tlsHost == rule.host))) message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]." diff --git a/other-cel/limit-hostpath-vols/artifacthub-pkg.yml b/other-cel/limit-hostpath-vols/artifacthub-pkg.yml index 4386e87d4..a8b2fc989 100644 --- a/other-cel/limit-hostpath-vols/artifacthub-pkg.yml +++ b/other-cel/limit-hostpath-vols/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 8ae23309c8e49ca3e3abe72f406e9ae186564ab24468ea4e772b6f3097793892 +digest: 51afea296e6c4aeb11d29750b5733c36fa841da72841ecf78e74c1e3cb5c268b createdAt: "2024-04-26T15:52:10Z" diff --git a/other-cel/limit-hostpath-vols/limit-hostpath-vols.yaml b/other-cel/limit-hostpath-vols/limit-hostpath-vols.yaml index 65d038c77..a1a94ab4a 100644 --- a/other-cel/limit-hostpath-vols/limit-hostpath-vols.yaml +++ b/other-cel/limit-hostpath-vols/limit-hostpath-vols.yaml @@ -32,7 +32,7 @@ spec: - UPDATE celPreconditions: - name: "has-host-path-volume" - expression: "has(object.spec.volumes) && object.spec.volumes.exists(volume, has(volume.hostPath))" + expression: "object.spec.?volumes.orValue([]).exists(volume, has(volume.hostPath))" validate: cel: expressions: diff --git a/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml index 8fd967286..19b886be6 100644 --- a/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml +++ b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: fc71819c4079262810e06ee768738b1061f46985df61ab688007bfdb7433be70 +digest: 2d7d94485cd5c5b19ae666afb28a3b52ce7d861ffe571eb8d2d4636bca1a685d createdAt: "2024-04-07T11:13:21Z" diff --git a/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml index bc78c62b1..5b9985455 100644 --- a/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml +++ b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml @@ -28,14 +28,10 @@ spec: - UPDATE validate: cel: - variables: - - name: containersWithResources - expression: object.spec.containers.filter(container, has(container.resources)) expressions: - expression: >- - variables.containersWithResources.all(container, - !has(container.resources.requests) || - !has(container.resources.requests.memory) || + object.spec.containers.all(container, + !container.?resources.?requests.?memory.hasValue() || container.resources.requests.memory == container.resources.?limits.?memory.orValue('-1')) message: "resources.requests.memory must be equal to resources.limits.memory" diff --git a/other-cel/metadata-match-regex/artifacthub-pkg.yml b/other-cel/metadata-match-regex/artifacthub-pkg.yml index 65d669de7..bcc2b513e 100644 --- a/other-cel/metadata-match-regex/artifacthub-pkg.yml +++ b/other-cel/metadata-match-regex/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Label" -digest: 2957a6e03dec3eab58436ddb3478aca69d41dbe7953c6ecb1ece1a54338856e2 +digest: 13f10d84ba859ce67122144d257a77024a781a292b6777cfbf88f191f003d85f createdAt: "2024-04-07T10:16:14Z" diff --git a/other-cel/metadata-match-regex/metadata-match-regex.yaml b/other-cel/metadata-match-regex/metadata-match-regex.yaml index 44676c893..3a3336cd8 100644 --- a/other-cel/metadata-match-regex/metadata-match-regex.yaml +++ b/other-cel/metadata-match-regex/metadata-match-regex.yaml @@ -31,8 +31,7 @@ spec: cel: expressions: - expression: >- - has(object.metadata.labels) && 'corp.org/version' in object.metadata.labels && - object.metadata.labels['corp.org/version'].matches('^v[0-9].[0-9].[0-9]$') + object.metadata.?labels[?'corp.org/version'].orValue('default').matches('^v[0-9].[0-9].[0-9]$') message: >- The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$ diff --git a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml index 9fe6c2180..b0a51f2ac 100644 --- a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml +++ b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "PodDisruptionBudget" -digest: 4b452f78ab0ff9715f1454fd3ca827b7aa7a892fa2b2f23aa5c21a12851c526d +digest: e8a5e187db61953889fcfa1bcc5b0c24893508bbfb47aeb7c73b5c1a274337b7 createdAt: "2024-04-07T10:22:03Z" diff --git a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml index 5b036805c..812804e5e 100644 --- a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml +++ b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml @@ -29,6 +29,6 @@ spec: validate: cel: expressions: - - expression: "!has(object.spec.maxUnavailable) || int(object.spec.maxUnavailable) > 0" + - expression: "int(object.spec.?maxUnavailable.orValue(1)) > 0" message: "The value of maxUnavailable must be greater than zero." diff --git a/other-cel/prevent-cr8escape/artifacthub-pkg.yml b/other-cel/prevent-cr8escape/artifacthub-pkg.yml index 17703c6d2..a314f8af5 100644 --- a/other-cel/prevent-cr8escape/artifacthub-pkg.yml +++ b/other-cel/prevent-cr8escape/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 7a684c2d2747e4ef77b44de44734c74143325757077e8047f3c89d535c5b9dfd +digest: ac2beb2d3eae9cea07feee4eadfd94e4a584e03ccb62cc84401038ffde0e6241 createdAt: "2024-04-08T10:46:02Z" diff --git a/other-cel/prevent-cr8escape/prevent-cr8escape.yaml b/other-cel/prevent-cr8escape/prevent-cr8escape.yaml index f81fc062c..7370ddda6 100644 --- a/other-cel/prevent-cr8escape/prevent-cr8escape.yaml +++ b/other-cel/prevent-cr8escape/prevent-cr8escape.yaml @@ -32,7 +32,7 @@ spec: cel: expressions: - expression: >- - !has(object.spec.securityContext) || !has(object.spec.securityContext.sysctls) || - object.spec.securityContext.sysctls.all(sysctl, !has(sysctl.value) || (!sysctl.value.contains('+') && !sysctl.value.contains('='))) + object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, + !has(sysctl.value) || (!sysctl.value.contains('+') && !sysctl.value.contains('='))) message: "characters '+' or '=' are not allowed in sysctls values" diff --git a/other-cel/require-annotations/artifacthub-pkg.yml b/other-cel/require-annotations/artifacthub-pkg.yml index 83da222c3..949f0d98e 100644 --- a/other-cel/require-annotations/artifacthub-pkg.yml +++ b/other-cel/require-annotations/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Annotation" -digest: affed5b798321bdaac4b178887ad1a98c4fd00e9e756849dac3f0d70148f6ef1 +digest: daf07a7c0e54bab1c25e2831feba7f3e9a0fd6e1f5e60b2bc043418a2d4f7c5d createdAt: "2024-04-09T15:56:35Z" diff --git a/other-cel/require-annotations/require-annotations.yaml b/other-cel/require-annotations/require-annotations.yaml index 1f01534b4..6394abdec 100644 --- a/other-cel/require-annotations/require-annotations.yaml +++ b/other-cel/require-annotations/require-annotations.yaml @@ -31,7 +31,6 @@ spec: cel: expressions: - expression: >- - has(object.metadata.annotations) && - 'corp.org/department' in object.metadata.annotations && object.metadata.annotations['corp.org/department'] != '' + object.metadata.?annotations[?'corp.org/department'].orValue('') != '' message: "The annotation `corp.org/department` is required." diff --git a/other-cel/require-container-port-names/artifacthub-pkg.yml b/other-cel/require-container-port-names/artifacthub-pkg.yml index 1583eaf92..401c9c763 100644 --- a/other-cel/require-container-port-names/artifacthub-pkg.yml +++ b/other-cel/require-container-port-names/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 62488bb402289ddbffe291c61acb14a50347e476e99d4f79ba035b4d3297403e +digest: 769749ee4aefe260c950c0f36f7c966ef3f9c432469e342014660992b35c475d createdAt: "2024-04-27T16:37:39Z" diff --git a/other-cel/require-container-port-names/require-container-port-names.yaml b/other-cel/require-container-port-names/require-container-port-names.yaml index b2756b98e..ce89cac63 100644 --- a/other-cel/require-container-port-names/require-container-port-names.yaml +++ b/other-cel/require-container-port-names/require-container-port-names.yaml @@ -31,6 +31,6 @@ spec: validate: cel: expressions: - - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, has(port.name)))" + - expression: "object.spec.containers.all(container, container.?ports.orValue([]).all(port, has(port.name)))" message: Name is required for every containerPort. diff --git a/other-cel/require-emptydir-requests-limits/artifacthub-pkg.yml b/other-cel/require-emptydir-requests-limits/artifacthub-pkg.yml index 859a6e8b3..4b10934af 100644 --- a/other-cel/require-emptydir-requests-limits/artifacthub-pkg.yml +++ b/other-cel/require-emptydir-requests-limits/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 8915013155bfb12e6414848c9dec66a9e95ab7318f5da7d0c64bc621143e5383 +digest: 532dc08b43aa1027bd893d6e21e7d3310e537a212cebedead22608e0c94e2dc5 createdAt: "2024-05-19T10:11:00Z" diff --git a/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml b/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml index bc3cc0b67..5fd3ec9c3 100644 --- a/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml +++ b/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml @@ -30,12 +30,12 @@ spec: - UPDATE celPreconditions: - name: "has-emptydir-volume" - expression: "has(object.spec.volumes) && object.spec.volumes.exists(volume, has(volume.emptyDir))" + expression: "object.spec.?volumes.orValue([]).exists(volume, has(volume.emptyDir))" validate: cel: variables: - name: containers - expression: "object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : [])" + expression: "object.spec.containers + object.spec.?initContainers.orValue([])" - name: emptydirnames expression: >- has(object.spec.volumes) ? @@ -43,8 +43,7 @@ spec: expressions: - expression: >- variables.containers.all(container, - !has(container.volumeMounts) || - !container.volumeMounts.exists(mount, mount.name in variables.emptydirnames) || + !container.?volumeMounts.orValue([]).exists(mount, mount.name in variables.emptydirnames) || container.resources.?requests[?'ephemeral-storage'].hasValue() && container.resources.?limits[?'ephemeral-storage'].hasValue()) message: Containers mounting emptyDir volumes must specify requests and limits for ephemeral-storage. diff --git a/other-cel/require-ingress-https/artifacthub-pkg.yml b/other-cel/require-ingress-https/artifacthub-pkg.yml index 6712dedf5..d8eca61d3 100644 --- a/other-cel/require-ingress-https/artifacthub-pkg.yml +++ b/other-cel/require-ingress-https/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: 56fca07a343423b529d0cd1e27069ca705b60cc1f590c832b2467c757b1b6957 +digest: b30bc5463846fae38c141a57722099c05614db0da4b3a1f88a1bb7812a572b81 createdAt: "2024-04-10T18:31:27Z" diff --git a/other-cel/require-ingress-https/require-ingress-https.yaml b/other-cel/require-ingress-https/require-ingress-https.yaml index 36268e98d..cb7dd582c 100644 --- a/other-cel/require-ingress-https/require-ingress-https.yaml +++ b/other-cel/require-ingress-https/require-ingress-https.yaml @@ -31,9 +31,7 @@ spec: cel: expressions: - expression: >- - has(object.metadata.annotations) && - 'kubernetes.io/ingress.allow-http' in object.metadata.annotations && - object.metadata.annotations['kubernetes.io/ingress.allow-http'] == 'false' + object.metadata.?annotations[?'kubernetes.io/ingress.allow-http'].orValue('default') == 'false' message: "The kubernetes.io/ingress.allow-http annotation must be set to false." - name: has-tls match: diff --git a/other-cel/require-non-root-groups/artifacthub-pkg.yml b/other-cel/require-non-root-groups/artifacthub-pkg.yml index 6c9a54a0e..2004ec989 100644 --- a/other-cel/require-non-root-groups/artifacthub-pkg.yml +++ b/other-cel/require-non-root-groups/artifacthub-pkg.yml @@ -20,5 +20,5 @@ annotations: kyverno/category: "Sample, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: b2f00c69719c2f91584551c65a0809e4d2d2e691030b41aa3bf80cdcb6e45320 +digest: 5b8983536f5922194a9ea86212f5ac316f396eefc1de09d4043947510b96ea16 createdAt: "2024-05-19T10:49:49Z" diff --git a/other-cel/require-non-root-groups/require-non-root-groups.yaml b/other-cel/require-non-root-groups/require-non-root-groups.yaml index 4f0f77b7d..b20053878 100644 --- a/other-cel/require-non-root-groups/require-non-root-groups.yaml +++ b/other-cel/require-non-root-groups/require-non-root-groups.yaml @@ -32,15 +32,15 @@ spec: cel: variables: - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" expressions: - expression: >- ( - has(object.spec.securityContext) && has(object.spec.securityContext.runAsGroup) && (object.spec.securityContext.runAsGroup > 0) && - variables.allContainers.all(container, !has(container.securityContext) || !has(container.securityContext.runAsGroup) || container.securityContext.runAsGroup > 0) + object.spec.?securityContext.?runAsGroup.orValue(-1) > 0 && + variables.allContainers.all(container, container.?securityContext.?runAsGroup.orValue(1) > 0) ) || ( - variables.allContainers.all(container, has(container.securityContext) && has(container.securityContext.runAsGroup) && container.securityContext.runAsGroup > 0) + variables.allContainers.all(container, container.?securityContext.?runAsGroup.orValue(-1) > 0) ) message: >- Running with root group IDs is disallowed. The fields @@ -61,8 +61,7 @@ spec: cel: expressions: - expression: >- - !has(object.spec.securityContext) || !has(object.spec.securityContext.supplementalGroups) || - object.spec.securityContext.supplementalGroups.all(group, group > 0) + object.spec.?securityContext.?supplementalGroups.orValue([]).all(group, group > 0) message: >- Containers cannot run with a root primary or supplementary GID. The field spec.securityContext.supplementalGroups must be unset or @@ -80,8 +79,7 @@ spec: cel: expressions: - expression: >- - !has(object.spec.securityContext) || !has(object.spec.securityContext.fsGroup) || - object.spec.securityContext.fsGroup > 0 + object.spec.?securityContext.?fsGroup.orValue(1) > 0 message: >- Containers cannot run with a root primary or supplementary GID. The field spec.securityContext.fsGroup must be unset or set to a value greater than zero. diff --git a/other-cel/require-pod-priorityclassname/artifacthub-pkg.yml b/other-cel/require-pod-priorityclassname/artifacthub-pkg.yml index 834899b20..1b8ed7103 100644 --- a/other-cel/require-pod-priorityclassname/artifacthub-pkg.yml +++ b/other-cel/require-pod-priorityclassname/artifacthub-pkg.yml @@ -20,6 +20,6 @@ annotations: kyverno/category: "Multi-Tenancy, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 10070a8c58969454fde8742cc3c1fdd5c196d98a918e8504f833331dd0a1c03b +digest: 252b3acff35bbfdb60bfdb57be947b8e983d65fbaa4c143bf8e9f714d6f54e04 createdAt: "2024-04-11T17:46:06Z" diff --git a/other-cel/require-pod-priorityclassname/require-pod-priorityclassname.yaml b/other-cel/require-pod-priorityclassname/require-pod-priorityclassname.yaml index 0e9be3f26..5ddddfcf5 100644 --- a/other-cel/require-pod-priorityclassname/require-pod-priorityclassname.yaml +++ b/other-cel/require-pod-priorityclassname/require-pod-priorityclassname.yaml @@ -32,6 +32,6 @@ spec: validate: cel: expressions: - - expression: "has(object.spec.priorityClassName) && object.spec.priorityClassName != ''" + - expression: "object.spec.?priorityClassName.orValue('') != ''" message: "Pods must define the priorityClassName field." diff --git a/other-cel/require-storageclass/artifacthub-pkg.yml b/other-cel/require-storageclass/artifacthub-pkg.yml index 4af61aff5..449726544 100644 --- a/other-cel/require-storageclass/artifacthub-pkg.yml +++ b/other-cel/require-storageclass/artifacthub-pkg.yml @@ -20,6 +20,6 @@ annotations: kyverno/category: "Other, Multi-Tenancy in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "PersistentVolumeClaim, StatefulSet" -digest: 50a19cfd04cb3ffc6cd1d064516042035b64213e16a85aecc891dc5c0806963c +digest: e7471108f222c8a533a02a8c3b956ac0762d0f1b5522b1a27c95d90b2aa5080e createdAt: "2024-04-11T18:06:16Z" diff --git a/other-cel/require-storageclass/require-storageclass.yaml b/other-cel/require-storageclass/require-storageclass.yaml index c7462d487..54cfbcc76 100644 --- a/other-cel/require-storageclass/require-storageclass.yaml +++ b/other-cel/require-storageclass/require-storageclass.yaml @@ -31,7 +31,7 @@ spec: validate: cel: expressions: - - expression: "has(object.spec.storageClassName) && object.spec.storageClassName != ''" + - expression: "object.spec.?storageClassName.orValue('') != ''" message: "PersistentVolumeClaims must define a storageClassName." - name: ss-storageclass match: @@ -48,6 +48,6 @@ spec: - expression: >- !has(object.spec.volumeClaimTemplates) || object.spec.volumeClaimTemplates.all(volumeClaimTemplate, - has(volumeClaimTemplate.spec.storageClassName) && volumeClaimTemplate.spec.storageClassName != '') + volumeClaimTemplate.spec.?storageClassName.orValue('') != '') message: "StatefulSets must define a storageClassName." diff --git a/other-cel/restrict-annotations/artifacthub-pkg.yml b/other-cel/restrict-annotations/artifacthub-pkg.yml index 7bf40797d..1989bc110 100644 --- a/other-cel/restrict-annotations/artifacthub-pkg.yml +++ b/other-cel/restrict-annotations/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Annotation" -digest: 5e3188460d595814af4a9287d6af5e42819863d4b619bfc329effb6127c8bf94 +digest: cf1c58fd51dd74ce5fe3369919c7885c5a2f54bcd9c8d4ca38ee872662b8376f createdAt: "2024-04-12T15:55:04Z" diff --git a/other-cel/restrict-annotations/restrict-annotations.yaml b/other-cel/restrict-annotations/restrict-annotations.yaml index 6baf71410..3ac318e15 100644 --- a/other-cel/restrict-annotations/restrict-annotations.yaml +++ b/other-cel/restrict-annotations/restrict-annotations.yaml @@ -35,6 +35,6 @@ spec: validate: cel: expressions: - - expression: "!has(object.metadata.annotations) || !object.metadata.annotations.exists(annotation, annotation.startsWith('fluxcd.io/'))" + - expression: "!object.metadata.?annotations.orValue([]).exists(annotation, annotation.startsWith('fluxcd.io/'))" message: Cannot use Flux v1 annotation. diff --git a/other-cel/restrict-controlplane-scheduling/artifacthub-pkg.yml b/other-cel/restrict-controlplane-scheduling/artifacthub-pkg.yml index 66814ad24..a8da31fe7 100644 --- a/other-cel/restrict-controlplane-scheduling/artifacthub-pkg.yml +++ b/other-cel/restrict-controlplane-scheduling/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 95c237c7d39fa64b37cf5708d566ca582f7f55770708092cf1e38d0a4e8a0828 +digest: e170af87f00d51c0a020dc88bf48c1aa1c213f7890f517dbeb898c9456722a46 createdAt: "2024-04-13T16:19:01Z" diff --git a/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml b/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml index 7a5a4e2d7..058c1e252 100644 --- a/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml +++ b/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml @@ -32,6 +32,6 @@ spec: expressions: - expression: >- !has(object.spec.tolerations) || - !object.spec.tolerations.exists(toleration, has(toleration.key) && toleration.key in ['node-role.kubernetes.io/master', 'node-role.kubernetes.io/control-plane']) + !object.spec.tolerations.exists(toleration, toleration.?key.orValue('') in ['node-role.kubernetes.io/master', 'node-role.kubernetes.io/control-plane']) message: Pods may not use tolerations which schedule on control plane nodes. diff --git a/other-cel/restrict-deprecated-registry/artifacthub-pkg.yml b/other-cel/restrict-deprecated-registry/artifacthub-pkg.yml index fe1cd7447..87c07d1d4 100644 --- a/other-cel/restrict-deprecated-registry/artifacthub-pkg.yml +++ b/other-cel/restrict-deprecated-registry/artifacthub-pkg.yml @@ -20,6 +20,6 @@ annotations: kyverno/category: "Best Practices, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.27-1.28" kyverno/subject: "Pod" -digest: b7e1108f954b94f8de8d26c564d37e1a6930648c9bb725ac2d3d3b6456d2ea2d +digest: 467f0243c9c131c5328e87edcd39a3f2831d3adc2ec5037c547a053ba304f6ee createdAt: "2024-04-13T16:21:40Z" diff --git a/other-cel/restrict-deprecated-registry/restrict-deprecated-registry.yaml b/other-cel/restrict-deprecated-registry/restrict-deprecated-registry.yaml index 23f3168e6..218cb3781 100644 --- a/other-cel/restrict-deprecated-registry/restrict-deprecated-registry.yaml +++ b/other-cel/restrict-deprecated-registry/restrict-deprecated-registry.yaml @@ -32,7 +32,7 @@ spec: cel: variables: - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" expressions: - expression: "variables.allContainers.all(container, !container.image.startsWith('k8s.gcr.io/'))" message: "The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used." diff --git a/other-cel/restrict-ingress-classes/artifacthub-pkg.yml b/other-cel/restrict-ingress-classes/artifacthub-pkg.yml index 7c72cc146..2d9abc2fd 100644 --- a/other-cel/restrict-ingress-classes/artifacthub-pkg.yml +++ b/other-cel/restrict-ingress-classes/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: abbd493cdcdfd2a7ec903027a4b7f56b1d7761e7a0ce2822d1521bb853791455 +digest: 669b46277fefe37d17931a7c5ef66ab297dbe9c7881390ad7f0b75c8891ac303 createdAt: "2024-04-14T15:43:33Z" diff --git a/other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml b/other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml index ee46fccea..73ad00fc2 100644 --- a/other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml +++ b/other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml @@ -33,8 +33,6 @@ spec: cel: expressions: - expression: >- - has(object.metadata.annotations) && - 'kubernetes.io/ingress.class' in object.metadata.annotations && - object.metadata.annotations['kubernetes.io/ingress.class'] in ['HAProxy', 'nginx'] + object.metadata.?annotations[?'kubernetes.io/ingress.class'].orValue('') in ['HAProxy', 'nginx'] message: "Unknown ingress class." diff --git a/other-cel/restrict-ingress-wildcard/artifacthub-pkg.yml b/other-cel/restrict-ingress-wildcard/artifacthub-pkg.yml index 7e909e5a3..d95a50d54 100644 --- a/other-cel/restrict-ingress-wildcard/artifacthub-pkg.yml +++ b/other-cel/restrict-ingress-wildcard/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Ingress" -digest: 74fa42f42b40f259054e0a4c097e10673bfa977ef0f5451cef18d07222142a5b +digest: 4a41226fe1301a55f1f7dfadbc3ee87ee05ae981500b5b956dd44d62718eed2f createdAt: "2024-04-15T18:06:41Z" diff --git a/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml b/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml index 3eded4e68..7e494cd9e 100644 --- a/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml +++ b/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml @@ -32,6 +32,6 @@ spec: validate: cel: expressions: - - expression: "!has(object.spec.rules) || !object.spec.rules.exists(rule, has(rule.host) && rule.host.contains('*'))" + - expression: "!object.spec.?rules.orValue([]).exists(rule, has(rule.host) && rule.host.contains('*'))" message: "Wildcards are not permitted as hosts." diff --git a/other-cel/restrict-node-affinity/artifacthub-pkg.yml b/other-cel/restrict-node-affinity/artifacthub-pkg.yml index 57eb45451..bc581dd8c 100644 --- a/other-cel/restrict-node-affinity/artifacthub-pkg.yml +++ b/other-cel/restrict-node-affinity/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: a148811b16c64d0d77e4d14b4cc368acd90a186276801c2dc4cc7ce4f0fb9b98 +digest: 485e28fb5ff6628c443209cdd6425e70619a5a91c8334b13c8b83f6dd1a731d5 createdAt: "2024-04-18T18:08:24Z" diff --git a/other-cel/restrict-node-affinity/restrict-node-affinity.yaml b/other-cel/restrict-node-affinity/restrict-node-affinity.yaml index fbad132dc..91b496240 100644 --- a/other-cel/restrict-node-affinity/restrict-node-affinity.yaml +++ b/other-cel/restrict-node-affinity/restrict-node-affinity.yaml @@ -31,6 +31,6 @@ spec: validate: cel: expressions: - - expression: "!has(object.spec.affinity) || !has(object.spec.affinity.nodeAffinity)" + - expression: "!object.spec.?affinity.?nodeAffinity.hasValue()" message: "Node affinity cannot be used." diff --git a/other-cel/restrict-node-label-creation/artifacthub-pkg.yml b/other-cel/restrict-node-label-creation/artifacthub-pkg.yml index 98c6f363b..f09eb30bb 100644 --- a/other-cel/restrict-node-label-creation/artifacthub-pkg.yml +++ b/other-cel/restrict-node-label-creation/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Node, Label" -digest: 688f42a4211a49dd6f743e2e302654447b9e27d8da63cb5547201be85cbb783b +digest: f34cb899d81dd8927d55060f361d06d3b52d86b6bb319d9fb40a12fb7c6e46aa createdAt: "2024-05-20T03:52:11Z" diff --git a/other-cel/restrict-node-label-creation/restrict-node-label-creation.yaml b/other-cel/restrict-node-label-creation/restrict-node-label-creation.yaml index 5a51e0975..9f6472056 100644 --- a/other-cel/restrict-node-label-creation/restrict-node-label-creation.yaml +++ b/other-cel/restrict-node-label-creation/restrict-node-label-creation.yaml @@ -31,7 +31,7 @@ spec: - name: "operation-should-be-update" expression: "request.operation == 'UPDATE'" - name: "has-foo-label" - expression: "has(object.metadata.labels) && 'foo' in object.metadata.labels" + expression: "object.metadata.?labels.?foo.hasValue()" validate: cel: expressions: diff --git a/other-cel/restrict-sa-automount-sa-token/artifacthub-pkg.yml b/other-cel/restrict-sa-automount-sa-token/artifacthub-pkg.yml index af52ba110..0abf531bb 100644 --- a/other-cel/restrict-sa-automount-sa-token/artifacthub-pkg.yml +++ b/other-cel/restrict-sa-automount-sa-token/artifacthub-pkg.yml @@ -27,6 +27,6 @@ annotations: kyverno/category: "Security in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "ServiceAccount" -digest: 3401afb861d2b9ca9d53ab5667ac1da3a32ba4af4a421accf65ed8448a63a6f2 +digest: 5798ac8ef2989b7d9aa42c607f87b86c876bb7729afb5ba191b995f2ae3ffd99 createdAt: "2024-04-18T18:11:04Z" diff --git a/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml b/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml index 0ac25122f..8e490d262 100644 --- a/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml +++ b/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml @@ -31,6 +31,6 @@ spec: validate: cel: expressions: - - expression: "has(object.automountServiceAccountToken) && object.automountServiceAccountToken == false" + - expression: "object.?automountServiceAccountToken.orValue(true) == false" message: "ServiceAccounts must set automountServiceAccountToken to false." diff --git a/other-cel/restrict-secrets-by-name/artifacthub-pkg.yml b/other-cel/restrict-secrets-by-name/artifacthub-pkg.yml index d1d1664ef..a8670cea7 100644 --- a/other-cel/restrict-secrets-by-name/artifacthub-pkg.yml +++ b/other-cel/restrict-secrets-by-name/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Secret" -digest: 9a77d417ab9d59569a5e202ab0cdd73fc95d387b485be0003691b851e0065c50 +digest: 2095949d1b1569b58d0848ee30f97f6b82b283d12c7e8558f1a2fd891a114f80 createdAt: "2024-04-20T16:40:34Z" diff --git a/other-cel/restrict-secrets-by-name/restrict-secrets-by-name.yaml b/other-cel/restrict-secrets-by-name/restrict-secrets-by-name.yaml index 2ff8d8f8c..eb1d5b808 100644 --- a/other-cel/restrict-secrets-by-name/restrict-secrets-by-name.yaml +++ b/other-cel/restrict-secrets-by-name/restrict-secrets-by-name.yaml @@ -33,12 +33,12 @@ spec: cel: variables: - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" expressions: - expression: >- variables.allContainers.all(container, - !has(container.env) || container.env.all(env, - !has(env.valueFrom) || !has(env.valueFrom.secretKeyRef) || env.valueFrom.secretKeyRef.name.startsWith("safe-"))) + container.?env.orValue([]).all(env, + env.?valueFrom.?secretKeyRef.?name.orValue('safe-').startsWith("safe-"))) message: "Only Secrets beginning with `safe-` may be consumed in env statements." - name: safe-secrets-from-envfrom match: @@ -53,12 +53,12 @@ spec: cel: variables: - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" expressions: - expression: >- variables.allContainers.all(container, - !has(container.envFrom) || container.envFrom.all(env, - !has(env.secretRef) || env.secretRef.name.startsWith("safe-"))) + container.?envFrom.orValue([]).all(env, + env.?secretRef.?name.orValue('safe-').startsWith("safe-"))) message: "Only Secrets beginning with `safe-` may be consumed in envFrom statements." - name: safe-secrets-from-volumes match: @@ -73,7 +73,7 @@ spec: cel: expressions: - expression: >- - !has(object.spec.volumes) || object.spec.volumes.all(volume, - !has(volume.secret) || volume.secret.secretName.startsWith("safe-")) + object.spec.?volumes.orValue([]).all(volume, + volume.?secret.?secretName.orValue('safe-').startsWith("safe-")) message: "Only Secrets beginning with `safe-` may be consumed in volumes." diff --git a/other-cel/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml b/other-cel/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml index 0719c1d5e..03b1362de 100644 --- a/other-cel/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml +++ b/other-cel/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: b709760f5d54a7e1720885c487c7f6ba5db404e0aed99dfabdc093206b42092c +digest: 65d0858b1b9196a038391e89afc535bf696c5a31514e6a830e0eeeb7626a1116 createdAt: "2024-04-20T16:57:00Z" diff --git a/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml b/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml index 13a57b963..6473646f2 100644 --- a/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml +++ b/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml @@ -31,10 +31,10 @@ spec: validate: cel: expressions: - - expression: "has(object.spec.securityContext.runAsUser) && object.spec.securityContext.runAsUser == 1000" + - expression: "object.spec.?securityContext.?runAsUser.orValue(1) == 1000" message: "User ID should be 1000." - - expression: "has(object.spec.securityContext.runAsGroup) && object.spec.securityContext.runAsGroup == 3000" + - expression: "object.spec.?securityContext.?runAsGroup.orValue(1) == 3000" message: "Group ID should be 3000." - - expression: "has(object.spec.securityContext.fsGroup) && object.spec.securityContext.fsGroup == 2000" + - expression: "object.spec.?securityContext.?fsGroup.orValue(1) == 2000" message: "fs Group should be 2000." diff --git a/other-cel/topologyspreadconstraints-policy/artifacthub-pkg.yml b/other-cel/topologyspreadconstraints-policy/artifacthub-pkg.yml index 3d251a745..5e3f12c95 100644 --- a/other-cel/topologyspreadconstraints-policy/artifacthub-pkg.yml +++ b/other-cel/topologyspreadconstraints-policy/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Deployment, StatefulSet" -digest: bd9dae9c99706fe3d16d26f59bd1bb8ecdaf09ffb038d79e8906fb8c72ec3b0f +digest: cf0723d2305d06f553934a723122bd60444b1dcff192dc9f81177c1e05951a7e createdAt: "2024-04-29T15:49:11Z" diff --git a/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml b/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml index 858bfb197..10fe684f3 100644 --- a/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml +++ b/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml @@ -38,7 +38,6 @@ spec: cel: expressions: - expression: >- - has(object.spec.template.spec.topologySpreadConstraints) && - size(object.spec.template.spec.topologySpreadConstraints.filter(t, t.topologyKey == 'kubernetes.io/hostname' || t.topologyKey == 'topology.kubernetes.io/zone')) == 2 + size(object.spec.template.spec.?topologySpreadConstraints.orValue([]).filter(t, t.topologyKey == 'kubernetes.io/hostname' || t.topologyKey == 'topology.kubernetes.io/zone')) == 2 message: "topologySpreadConstraint for kubernetes.io/hostname & topology.kubernetes.io/zone are required" diff --git a/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml b/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml index 94f57bfd2..7d0d53480 100644 --- a/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml +++ b/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml @@ -37,6 +37,6 @@ spec: validate: cel: expressions: - - expression: "has(object.metadata.labels) && object.metadata.labels.exists(label, label.startsWith('pod-security.kubernetes.io/') && object.metadata.labels[label] != '')" + - expression: "object.metadata.?labels.orValue([]).exists(label, label.startsWith('pod-security.kubernetes.io/') && object.metadata.labels[label] != '')" message: This Namespace is missing a PSA label. diff --git a/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml b/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml index 0f68883ae..c24135339 100644 --- a/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml +++ b/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml @@ -20,5 +20,5 @@ annotations: kyverno/category: "Pod Security Admission, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace" -digest: d624eddc7d55bcdb3129ccb57f6e7d840b6eda6cf57134ce7385b89a92ea8686 +digest: f2682d998f335ebf99b534234213b491bfcb760ba7438b3d198efc2f14e86cdc createdAt: "2024-05-22T08:30:28Z" diff --git a/psp-migration-cel/check-supplemental-groups/artifacthub-pkg.yml b/psp-migration-cel/check-supplemental-groups/artifacthub-pkg.yml index 7717aebbe..406e93a6a 100644 --- a/psp-migration-cel/check-supplemental-groups/artifacthub-pkg.yml +++ b/psp-migration-cel/check-supplemental-groups/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "PSP Migration in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 05135ed92926031b15d782552af3f8dbf8776014401328e186987344079fcc66 +digest: 8cd53a2a3b47f9847eb4acd6902c92a704e5f0d257354ee722f4d4d3808359ea createdAt: "2024-05-23T13:57:56Z" diff --git a/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml b/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml index 461920574..c8d57dff1 100644 --- a/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml +++ b/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml @@ -32,8 +32,6 @@ spec: cel: expressions: - expression: >- - !has(object.spec.securityContext) || - !has(object.spec.securityContext.supplementalGroups) || - object.spec.securityContext.supplementalGroups.all(supplementalGroup, (supplementalGroup >= 100 && supplementalGroup <= 200) || (supplementalGroup >= 500 && supplementalGroup <= 600)) + object.spec.?securityContext.?supplementalGroups.orValue([]).all(supplementalGroup, (supplementalGroup >= 100 && supplementalGroup <= 200) || (supplementalGroup >= 500 && supplementalGroup <= 600)) message: Any supplementalGroup ID must be within the range 100-200 or 500-600. diff --git a/psp-migration-cel/restrict-adding-capabilities/artifacthub-pkg.yml b/psp-migration-cel/restrict-adding-capabilities/artifacthub-pkg.yml index 19ded7cb5..e3a9e69a3 100644 --- a/psp-migration-cel/restrict-adding-capabilities/artifacthub-pkg.yml +++ b/psp-migration-cel/restrict-adding-capabilities/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "PSP Migration in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: a577515c97fa6c2990de6bc88df222e1555bf11bfacdf00e31b26c5c5fb086ac +digest: ff4483e54ede27fe5d6ef217725ee7d2b40bc0fe7fb16398919783f6bdce6a3e createdAt: "2024-05-23T14:18:49Z" diff --git a/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities.yaml b/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities.yaml index 1d9f54494..42b9b5a99 100644 --- a/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities.yaml +++ b/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities.yaml @@ -34,16 +34,13 @@ spec: cel: variables: - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - name: allowedCapabilities expression: "['NET_BIND_SERVICE', 'CAP_CHOWN']" expressions: - expression: >- variables.allContainers.all(container, - !has(container.securityContext) || - !has(container.securityContext.capabilities) || - !has(container.securityContext.capabilities.add) || - container.securityContext.capabilities.add.all(capability, capability in variables.allowedCapabilities)) + container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability in variables.allowedCapabilities)) message: >- Any capabilities added other than NET_BIND_SERVICE or CAP_CHOWN are disallowed. diff --git a/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml b/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml index 67bdf90ef..2c83e3067 100644 --- a/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml +++ b/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Tekton in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "TaskRun, PipelineRun" -digest: 396315ccb0132309267847614372230dbab14ab9935a1aac800d96981da37d10 +digest: d1031e87d2d3e9496022593cac502bd8382863247803e4bd06a1badbe782ae48 createdAt: "2024-05-24T04:26:34Z" diff --git a/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml b/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml index 359ae7f1e..585c00efb 100644 --- a/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml +++ b/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml @@ -28,7 +28,7 @@ spec: validate: cel: expressions: - - expression: "has(object.spec.pipelineRef) && has(object.spec.pipelineRef.bundle) && object.spec.pipelineRef.bundle != ''" + - expression: "object.spec.?pipelineRef.?bundle.orValue('') != ''" message: "A bundle is required." - name: check-bundle-taskrun match: @@ -39,6 +39,6 @@ spec: validate: cel: expressions: - - expression: "has(object.spec.taskRef) && has(object.spec.taskRef.bundle) && object.spec.taskRef.bundle != ''" + - expression: "object.spec.?taskRef.?bundle.orValue('') != ''" message: "A bundle is required." From 1208ed34f112c52af797552e0ccdd8299860db7e Mon Sep 17 00:00:00 2001 From: nsagark <90008930+nsagark@users.noreply.github.com> Date: Fri, 9 Aug 2024 15:58:05 -0400 Subject: [PATCH 4/9] Add initContainers and ephemeralContainers to Require Images Use Checksums (#1066) * Updating require-image-checksum for init and ephemeral containers Signed-off-by: nsagark * Updating require-image-checksum for init and ephemeral containers Signed-off-by: nsagark * Updated the policy and chainsaw tests Signed-off-by: nsagark * Updated the artifacthub-pkg.yml with the correct digest Signed-off-by: nsagark * Updated chainsaw test to include tests for ephemeral containers Signed-off-by: nsagark * Updated digest in the artifacthub-pkg.yml Signed-off-by: nsagark * removed ephemeral containers from resource.yaml Signed-off-by: nsagark --------- Signed-off-by: nsagark Co-authored-by: Mariam Fahmy Co-authored-by: Chip Zoller --- .../.chainsaw-test/chainsaw-test.yaml | 17 +++++++++++++++ .../.chainsaw-test/pod-bad-for-ephemeral.yaml | 10 +++++++++ .../.chainsaw-test/pod-bad.yaml | 21 ++++++++++++++++++- .../pod-good-for-ephemeral.yaml | 9 ++++++++ .../.chainsaw-test/pod-good.yaml | 21 ++++++++++++++++++- .../.kyverno-test/kyverno-test.yaml | 6 +++--- .../.kyverno-test/resource.yaml | 20 ++++++++++++++++-- .../artifacthub-pkg.yml | 2 +- .../require-image-checksum.yaml | 12 ++++++----- 9 files changed, 105 insertions(+), 13 deletions(-) create mode 100644 other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml create mode 100644 other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml diff --git a/other/require-image-checksum/.chainsaw-test/chainsaw-test.yaml b/other/require-image-checksum/.chainsaw-test/chainsaw-test.yaml index 71247c3a8..c83534836 100755 --- a/other/require-image-checksum/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-image-checksum/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,20 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-03 + try: + - script: + content: | + kubectl apply -f pod-good-for-ephemeral.yaml + sleep 2 + kubectl debug goodpod-for-debug -it --image=ubuntu@sha256:0eb0f877e1c869a300c442c41120e778db7161419244ee5cbc6fa5f134e74736 --share-processes --copy-to=myapp-debug + - script: + content: | + kubectl apply -f pod-bad-for-ephemeral.yaml + sleep 2 + kubectl debug badpod-for-debug -it --image=ubuntu --share-processes --copy-to=myapp-debug + check: + ($error != null): true + - script: + content: | + kubectl delete pods --all --force diff --git a/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml b/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml new file mode 100644 index 000000000..cfdacda24 --- /dev/null +++ b/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-for-debug +spec: + containers: + - name: busybox + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc + command: ["sleep", "1d"] + diff --git a/other/require-image-checksum/.chainsaw-test/pod-bad.yaml b/other/require-image-checksum/.chainsaw-test/pod-bad.yaml index 861eded64..325985fc1 100644 --- a/other/require-image-checksum/.chainsaw-test/pod-bad.yaml +++ b/other/require-image-checksum/.chainsaw-test/pod-bad.yaml @@ -18,4 +18,23 @@ spec: - name: busybox image: busybox - name: bb - image: busybox:latest \ No newline at end of file + image: busybox:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: init-busybox + image: busybox:1.35 + command: ['sh', '-c', 'echo Init container 1 completed'] + - name: init-alpine + image: alpine:3.16 + command: ['sh', '-c', 'echo Init container 2 completed'] + containers: + - name: busybox + image: busybox:1.35 + - name: busybox02 + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc +--- diff --git a/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml b/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml new file mode 100644 index 000000000..4e2a4bea4 --- /dev/null +++ b/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-for-debug +spec: + containers: + - name: busybox + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc + command: ["sleep", "1d"] diff --git a/other/require-image-checksum/.chainsaw-test/pod-good.yaml b/other/require-image-checksum/.chainsaw-test/pod-good.yaml index 3b71c5b5f..99d09cc75 100644 --- a/other/require-image-checksum/.chainsaw-test/pod-good.yaml +++ b/other/require-image-checksum/.chainsaw-test/pod-good.yaml @@ -18,4 +18,23 @@ spec: - name: busybox image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc - name: nginx - image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea \ No newline at end of file + image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - name: init-busybox + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc + command: ['sh', '-c', 'echo Init container 1 completed'] + - name: init-nginx + image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea + command: ['sh', '-c', 'echo Init container 2 completed'] + containers: + - name: busybox + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc + - name: nginx + image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea +--- diff --git a/other/require-image-checksum/.kyverno-test/kyverno-test.yaml b/other/require-image-checksum/.kyverno-test/kyverno-test.yaml index 574028fb6..0db076f06 100644 --- a/other/require-image-checksum/.kyverno-test/kyverno-test.yaml +++ b/other/require-image-checksum/.kyverno-test/kyverno-test.yaml @@ -17,17 +17,17 @@ results: policy: require-image-checksum resources: - myapp-pod-2 - result: fail + result: pass rule: require-image-checksum - kind: Deployment policy: require-image-checksum resources: - mydeploy - result: pass + result: fail rule: require-image-checksum - kind: Pod policy: require-image-checksum resources: - myapp-pod-1 - result: pass + result: fail rule: require-image-checksum diff --git a/other/require-image-checksum/.kyverno-test/resource.yaml b/other/require-image-checksum/.kyverno-test/resource.yaml index 99174c394..d200ca7de 100644 --- a/other/require-image-checksum/.kyverno-test/resource.yaml +++ b/other/require-image-checksum/.kyverno-test/resource.yaml @@ -5,6 +5,10 @@ metadata: labels: app: myapp-1 spec: + initContainers: + - name: init-myservice + image: busybox + command: ['sh', '-c', 'echo Initializing...'] containers: - name: nginx image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9 @@ -17,9 +21,13 @@ metadata: labels: app: myapp-2 spec: + initContainers: + - name: init-myservice + image: busybox@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7 + command: ['sh', '-c', 'echo Initializing...'] containers: - name: nginx - image: nginx + image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9 --- apiVersion: apps/v1 @@ -36,6 +44,10 @@ spec: labels: app: myapp spec: + initContainers: + - name: init-myservice + image: busybox + command: ['sh', '-c', 'echo Initializing...'] containers: - name: nginx image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9 @@ -53,6 +65,10 @@ spec: spec: template: spec: + initContainers: + - name: init-myservice + image: busybox + command: ['sh', '-c', 'echo Initializing...'] containers: - name: hello image: busybox @@ -61,4 +77,4 @@ spec: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster - restartPolicy: OnFailure + diff --git a/other/require-image-checksum/artifacthub-pkg.yml b/other/require-image-checksum/artifacthub-pkg.yml index 64e238b99..89eaf13ea 100644 --- a/other/require-image-checksum/artifacthub-pkg.yml +++ b/other/require-image-checksum/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 3337bb7de436169ae83391daf6da76251ce00422f3fc5691d80cfc6f75606d80 +digest: c04622929b71c3e6437ad7f1f6ee84e8601e46ff35344c1cabb512d43b314cc1 diff --git a/other/require-image-checksum/require-image-checksum.yaml b/other/require-image-checksum/require-image-checksum.yaml index e75024622..9fc259b01 100644 --- a/other/require-image-checksum/require-image-checksum.yaml +++ b/other/require-image-checksum/require-image-checksum.yaml @@ -9,11 +9,9 @@ metadata: policies.kyverno.io/subject: Pod policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- - Use of a SHA checksum when pulling an image is often preferable because tags - are mutable and can be overwritten. This policy checks to ensure that all images - use SHA checksums rather than tags. + Use of a SHA checksum when pulling an image is often preferable because tags are mutable and can be overwritten. This policy checks to ensure that all images use SHA checksums rather than tags. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-image-checksum @@ -27,4 +25,8 @@ spec: pattern: spec: containers: - - image: "*@*" \ No newline at end of file + - image: "*@*" + =(ephemeralContainers): + - image: "*@*" + =(initContainers): + - image: "*@*" From d4c42e190b0823ba5c7fc752e35cabfb9ba90e9f Mon Sep 17 00:00:00 2001 From: nsagark <90008930+nsagark@users.noreply.github.com> Date: Fri, 9 Aug 2024 17:18:31 -0400 Subject: [PATCH 5/9] Add policy Collect Debug Information for Pods in CrashLoopBackOff (#1086) * Updated files for get-debug-information policy Signed-off-by: nsagark * Updated the policy with annotations and also the artifacthub-pkg.yml Signed-off-by: nsagark * Updated policy for image information and also the artifacthub-pkg.yml Signed-off-by: nsagark * Update other/get-debug-information/generate-policy.yaml Co-authored-by: Chip Zoller Signed-off-by: nsagark <90008930+nsagark@users.noreply.github.com> * Update other/get-debug-information/generate-policy.yaml Co-authored-by: Chip Zoller Signed-off-by: nsagark <90008930+nsagark@users.noreply.github.com> * Update other/get-debug-information/generate-policy.yaml Co-authored-by: Chip Zoller Signed-off-by: nsagark <90008930+nsagark@users.noreply.github.com> * Updated the policy, renamed the policy and the digest in the artifacthub-pkg.yml Signed-off-by: nsagark * Updated the policy file name in the chainsaw-test.yaml Signed-off-by: nsagark * Updated the policy file name in the artifacthub-pkg.yml Signed-off-by: nsagark * Update other/get-debug-information/collect-debug-information.yaml Co-authored-by: Chip Zoller Signed-off-by: nsagark <90008930+nsagark@users.noreply.github.com> * Updated the digest and also the policy to add serviceaccount information Signed-off-by: nsagark * Updated the description and readme in artifacthub-pkg.yml Signed-off-by: nsagark * Updated the policy file name Signed-off-by: nsagark * Update other/get-debug-information/.chainsaw-test/chainsaw-test.yaml Signed-off-by: Chip Zoller * Update other/get-debug-information/artifacthub-pkg.yml Signed-off-by: Chip Zoller --------- Signed-off-by: nsagark Signed-off-by: nsagark <90008930+nsagark@users.noreply.github.com> Signed-off-by: Chip Zoller Co-authored-by: Chip Zoller --- .../chainsaw-step-00-apply-1.yaml | 12 +++ .../chainsaw-step-00-apply-2.yaml | 24 ++++++ .../.chainsaw-test/chainsaw-test.yaml | 48 +++++++++++ .../.chainsaw-test/depl-readonlyrootfs.yaml | 22 +++++ .../.chainsaw-test/ns.yaml | 4 + .../.chainsaw-test/policy-ready.yaml | 6 ++ .../get-debug-information/artifacthub-pkg.yml | 20 +++++ .../get-debug-information.yaml | 83 +++++++++++++++++++ 8 files changed, 219 insertions(+) create mode 100644 other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-1.yaml create mode 100644 other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-2.yaml create mode 100644 other/get-debug-information/.chainsaw-test/chainsaw-test.yaml create mode 100644 other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml create mode 100644 other/get-debug-information/.chainsaw-test/ns.yaml create mode 100644 other/get-debug-information/.chainsaw-test/policy-ready.yaml create mode 100644 other/get-debug-information/artifacthub-pkg.yml create mode 100644 other/get-debug-information/get-debug-information.yaml diff --git a/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-1.yaml b/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-1.yaml new file mode 100644 index 000000000..a859882c4 --- /dev/null +++ b/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-1.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:background-controller-generate +rules: +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "get", "list", "watch", "update", "delete"] \ No newline at end of file diff --git a/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-2.yaml b/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-2.yaml new file mode 100644 index 000000000..44ee0edaf --- /dev/null +++ b/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-2.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pod-reader +rules: +- apiGroups: [""] + resources: ["pods", "pods/log", "events"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-pods-rolebinding +subjects: +- kind: Group + name: system:serviceaccounts + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: pod-reader + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/other/get-debug-information/.chainsaw-test/chainsaw-test.yaml b/other/get-debug-information/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..e7fbf93f1 --- /dev/null +++ b/other/get-debug-information/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,48 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: get-debug-data +spec: + steps: + - name: step-00 + try: + - apply: + file: chainsaw-step-00-apply-1.yaml + - apply: + file: chainsaw-step-00-apply-2.yaml + - name: step-01 + try: + - script: + content: | + if kubectl get configmap kyverno -n kyverno -o jsonpath='{.data.excludeGroups}' | grep -q 'system:nodes'; then + kubectl patch configmap kyverno -n kyverno --type=json -p='[{"op": "remove", "path": "/data/excludeGroups"}]' + else + echo "excludeGroups: system:nodes does not exist in the configmap." + fi + - name: step-02 + try: + - apply: + file: ../get-debug-information.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: ns.yaml + - apply: + file: depl-readonlyrootfs.yaml + - name: step-04 + try: + - sleep: + duration: 60s + - assert: + resource: + apiVersion: batch/v1 + kind: Job + metadata: + labels: + app.kubernetes.io/managed-by: kyverno + deleteme: allow + namespace: abc diff --git a/other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml b/other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml new file mode 100644 index 000000000..8e1a47d6b --- /dev/null +++ b/other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: abc +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx-container + image: nginx:latest + ports: + - containerPort: 80 + securityContext: + readOnlyRootFilesystem: true diff --git a/other/get-debug-information/.chainsaw-test/ns.yaml b/other/get-debug-information/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..857153708 --- /dev/null +++ b/other/get-debug-information/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: abc \ No newline at end of file diff --git a/other/get-debug-information/.chainsaw-test/policy-ready.yaml b/other/get-debug-information/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..0754ffe2f --- /dev/null +++ b/other/get-debug-information/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: get-debug-data-policy +status: + ready: true \ No newline at end of file diff --git a/other/get-debug-information/artifacthub-pkg.yml b/other/get-debug-information/artifacthub-pkg.yml new file mode 100644 index 000000000..31c2f8884 --- /dev/null +++ b/other/get-debug-information/artifacthub-pkg.yml @@ -0,0 +1,20 @@ +name: get-debug-information +version: 1.0.0 +displayName: Collect debug information for pods in crashloopback +createdAt: "2024-07-25T20:30:05.000Z" +description: "This policy generates a job which gathers troubleshooting data (including logs, kubectl describe output and events from the namespace) from pods that are in CrashLoopBackOff and have 3 restarts. This data can further be used to automatically create a Jira issue using some kind of automation or another Kyverno policy. For more information on the image used in this policy in addition to the necessary RBAC resources required in order for this policy to operate, see the documentation at https://github.com/nirmata/SRE-Operational-Usecases/tree/main/get-troubleshooting-data/get-debug-data." +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/get-debug-information/get-debug-information.yaml + ``` +keywords: +- kyverno +- Sample +readme: | + This policy generates a job which gathers troubleshooting data (including logs, kubectl describe output and events from the namespace) from pods that are in CrashLoopBackOff and have 3 restarts. This data can further be used to automatically create a Jira issue using some kind of automation or another Kyverno policy. For more information on the image used in this policy in addition to the necessary RBAC resources required in order for this policy to operate, see the documentation at https://github.com/nirmata/SRE-Operational-Usecases/tree/main/get-troubleshooting-data/get-debug-data. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Pod" +digest: 757b80d042c3ab9dd959ab6086205cd4585474a6672a13d8738ce91f4e3c491a diff --git a/other/get-debug-information/get-debug-information.yaml b/other/get-debug-information/get-debug-information.yaml new file mode 100644 index 000000000..728661b0c --- /dev/null +++ b/other/get-debug-information/get-debug-information.yaml @@ -0,0 +1,83 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: get-debug-data-policy + annotations: + policies.kyverno.io/title: Collect Debug Information for Pods in CrashLoopBackOff + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.5 + kyverno.io/kubernetes-version: "1.27" + policies.kyverno.io/description: >- + This policy generates a job which gathers troubleshooting data (including logs, kubectl describe output and events from the namespace) from pods that are in CrashLoopBackOff and have 3 restarts. This data can further be used to automatically create a Jira issue using some kind of automation or another Kyverno policy. For more information on the image used in this policy in addition to the necessary RBAC resources required in order for this policy to operate, see the documentation at https://github.com/nirmata/SRE-Operational-Usecases/tree/main/get-troubleshooting-data/get-debug-data. +spec: + rules: + - name: get-debug-data-policy-rule + match: + any: + - resources: + kinds: + - v1/Pod.status + context: + - name: pdcount + apiCall: + urlPath: "/api/v1/namespaces/{{request.namespace}}/pods?labelSelector=requestpdname=pod-{{request.object.metadata.name}}" + jmesPath: "items | length(@)" + preconditions: + all: + - key: "{{ sum(request.object.status.containerStatuses[*].restartCount || `0`) }}" + operator: Equals + value: 3 + - key: "{{ request.object.metadata.labels.deleteme || 'empty' }}" + operator: Equals + value: "empty" + - key: "{{ pdcount }}" + operator: Equals + value: 0 + generate: + apiVersion: batch/v1 + kind: Job + name: get-debug-data-{{request.object.metadata.name}}-{{ random('[0-9a-z]{8}') }} + namespace: "{{request.namespace}}" + synchronize: false + data: + metadata: + labels: + deleteme: allow + spec: + template: + metadata: + labels: + app: my-app + deleteme: allow + requestpdname: "pod-{{request.object.metadata.name}}" + spec: + restartPolicy: OnFailure + containers: + - name: my-container + image: sagarkundral/my-python-app:v52 + ports: + - containerPort: 8080 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: token + readOnly: true + args: + - "/app/get-debug-jira-v2.sh" + - "{{request.namespace}}" + - "{{request.object.metadata.name}}" + serviceAccount: default # This serviceaccount needs the necessary RBAC in order for the policy to operate. + volumes: + - name: token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt From 5189caf6de9e561d9801cc51313bd65f118c6bb1 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 12 Aug 2024 21:27:28 -0500 Subject: [PATCH 6/9] update permissions Signed-off-by: Jim Bugwadia --- .../.chainsaw-test/chainsaw-test.yaml | 2 ++ .../.chainsaw-test/permissions.yaml | 17 +++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 other/check-vpa-configuration/.chainsaw-test/permissions.yaml diff --git a/other/check-vpa-configuration/.chainsaw-test/chainsaw-test.yaml b/other/check-vpa-configuration/.chainsaw-test/chainsaw-test.yaml index f5fc885f1..4659846b5 100644 --- a/other/check-vpa-configuration/.chainsaw-test/chainsaw-test.yaml +++ b/other/check-vpa-configuration/.chainsaw-test/chainsaw-test.yaml @@ -6,6 +6,8 @@ spec: steps: - name: 01 - Create policy and Enforce try: + - apply: + file: permissions.yaml - apply: file: ../check-vpa-configuration.yaml - patch: diff --git a/other/check-vpa-configuration/.chainsaw-test/permissions.yaml b/other/check-vpa-configuration/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..6b20b3c83 --- /dev/null +++ b/other/check-vpa-configuration/.chainsaw-test/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:vpa + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - autoscaling.k8s.io + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch \ No newline at end of file From 4ee239a6b1cb9cd699f0bbbfdafec480a20114af Mon Sep 17 00:00:00 2001 From: Dolis Sharma <71091713+dolisss@users.noreply.github.com> Date: Wed, 14 Aug 2024 17:42:46 -0300 Subject: [PATCH 7/9] Update disallow-helm-tiller and disallow-latest-tag to include all container types in a pod (#1111) * Update disallow-helm-tiller.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update disallow-latest-tag.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod-latest-fail-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod-latest-success-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod-no-tag.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update good-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-deploy.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod-fail-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod-success-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update good-deploy.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update good-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update disallow-latest-tag.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update disallow-helm-tiller.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update artifacthub-pkg.yml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update good-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-deploy.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod-fail-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod-success-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update good-deploy.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update resource.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod-latest-fail-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod-latest-success-first.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update bad-pod-no-tag.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update good-pod.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> * Update resource.yaml Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --------- Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com> --- .../.chainsaw-test/bad-deploy.yaml | 5 +++ .../.chainsaw-test/bad-pod-fail-first.yaml | 5 +++ .../.chainsaw-test/bad-pod-success-first.yaml | 7 ++++- .../.chainsaw-test/bad-pod.yaml | 5 ++- .../.chainsaw-test/good-deploy.yaml | 6 +++- .../.chainsaw-test/good-pod.yaml | 7 ++++- .../.kyverno-test/resource.yaml | 24 ++++++++++++++ .../disallow-helm-tiller/artifacthub-pkg.yml | 2 +- .../disallow-helm-tiller.yaml | 17 ++++++---- .../bad-pod-latest-fail-first.yaml | 7 ++++- .../bad-pod-latest-success-first.yaml | 7 ++++- .../.chainsaw-test/bad-pod-no-tag.yaml | 17 +++++++++- .../.chainsaw-test/good-pod.yaml | 5 ++- .../.kyverno-test/resource.yaml | 31 +++++++++++++++++++ .../disallow-latest-tag/artifacthub-pkg.yml | 4 +-- .../disallow-latest-tag.yaml | 28 ++++++++++++----- 16 files changed, 152 insertions(+), 25 deletions(-) diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml index e2b85aea5..37c6850cd 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml @@ -19,3 +19,8 @@ spec: name: busybox - image: docker.io/tiller:latest name: helm-tiller + initContainers: + - image: busybox + name: busyboxinit + - image: docker.io/tiller:latest + name: helm-tillerinit diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml index 56caf1bbb..3c6000019 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml @@ -8,3 +8,8 @@ spec: image: docker.io/tiller:latest - name: somebox image: busybox:1.35 + initContainers: + - name: helm-tillerinit + image: docker.io/tiller:latest + - name: someboxinit + image: busybox:1.35 diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml index ba3bc5292..9b09e550d 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml @@ -7,4 +7,9 @@ spec: - name: somebox image: busybox:1.35 - name: helm-tiller - image: docker.io/tiller:latest \ No newline at end of file + image: docker.io/tiller:latest + initContainers: + - name: someboxinit + image: busybox:1.35 + - name: helm-tillerinit + image: docker.io/tiller:latest diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml index 447689170..e35960061 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml @@ -5,4 +5,7 @@ metadata: spec: containers: - name: helm-tiller - image: docker.io/tiller:latest \ No newline at end of file + image: docker.io/tiller:latest + initContainers: + - name: helm-tillerinit + image: docker.io/tiller:latest diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml index 915bbaf8c..687ebc84c 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml @@ -17,4 +17,8 @@ spec: containers: - image: busybox:v1.35 name: busybox - command: ["sleep", "3600"] \ No newline at end of file + command: ["sleep", "3600"] + initContainers: + - image: busybox:v1.35 + name: busyboxinit + command: ["sleep", "3600"] diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml index 0743299d4..f0c0a6913 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml @@ -7,4 +7,9 @@ spec: - name: busybox image: busybox:v1.35 - name: nothelmbox - image: busybox:v1.35 \ No newline at end of file + image: busybox:v1.35 + initContainers: + - name: busyboxinit + image: busybox:v1.35 + - name: nothelmboxinit + image: busybox:v1.35 diff --git a/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml b/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml index c015402a8..08dcde836 100644 --- a/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml +++ b/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml @@ -6,6 +6,10 @@ spec: containers: - name: helm-tiller image: docker.io/tiller:latest + initContainers: + - name: helm-tillerinit + image: docker.io/tiller:latest + --- apiVersion: v1 kind: Pod @@ -17,6 +21,11 @@ spec: image: busybox:1.28 - name: helm-tiller image: docker.io/tiller:latest + initContainers: + - name: busyboxinit + image: busybox:1.28 + - name: helm-tillerinit + image: docker.io/tiller:latest --- apiVersion: v1 kind: Pod @@ -26,6 +35,9 @@ spec: containers: - name: busybox image: busybox + initContainers: + - name: busyboxinit + image: busybox --- apiVersion: v1 kind: Pod @@ -37,6 +49,11 @@ spec: image: busybox - name: nginx image: nginx + initContainers: + - name: busyboxinit + image: busybox + - name: nginxinit + image: nginx --- apiVersion: apps/v1 kind: Deployment @@ -59,6 +76,10 @@ spec: - image: busybox:1.28 name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox:1.28 + name: busyboxinit + command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -80,3 +101,6 @@ spec: containers: - image: docker.io/tiller:latest name: helm-tiller + initContainers: + - image: docker.io/tiller:latest + name: helm-tillerinit diff --git a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml index e34f3355c..1d47fd83a 100644 --- a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml +++ b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 6de64a4a8d611c250dc0190b28b6c757db531063161531e4f68202c0fbda5be4 +digest: 3d92f3a2949283ad6d9baa99565e407c5cd78d015e0220750de522ac40ce1de2 diff --git a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml index 61dd8c74d..ef1bb41fa 100644 --- a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml +++ b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml @@ -11,7 +11,7 @@ metadata: policies.kyverno.io/description: >- Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as - restricted users can impact other users. It is recommend to use Helm v3+ which does not contain + restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`. spec: @@ -26,8 +26,13 @@ spec: - Pod validate: message: "Helm Tiller is not allowed" - pattern: - spec: - containers: - - name: "*" - image: "!*tiller*" + foreach: + - list: "request.object.spec.containers" + pattern: + image: "!*tiller*" + - list: "request.object.spec.initContainers" + pattern: + image: "!*tiller*" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "!*tiller*" diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml index 2184f875b..44ba9c0fb 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml @@ -7,4 +7,9 @@ spec: - name: busybox image: busybox:latest - name: nginx - image: nginx:1.35 \ No newline at end of file + image: nginx:1.35 + initContainers: + - name: busyboxinit + image: busybox:latest + - name: nginxinit + image: nginx:1.35 diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml index 43e17164c..f565170f5 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml @@ -7,4 +7,9 @@ spec: - name: nginx image: nginx:1.35 - name: busybox - image: busybox:latest \ No newline at end of file + image: busybox:latest + initContainers: + - name: nginxinit + image: nginx:1.35 + - name: busyboxinit + image: busybox:latest diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml index 7a599f75c..3418076ae 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml @@ -8,6 +8,11 @@ spec: image: busybox - name: nginx image: nginx:1.35 + initContainers: + - name: busyboxinit + image: busybox + - name: nginxinit + image: nginx:1.35 --- apiVersion: v1 kind: Pod @@ -19,6 +24,11 @@ spec: image: nginx:1.35 - name: busybox image: busybox + initContainers: + - name: nginxinit + image: nginx:1.35 + - name: busyboxinit + image: busybox --- apiVersion: v1 kind: Pod @@ -29,4 +39,9 @@ spec: - name: busybox image: busybox - name: nginx - image: nginx:latest \ No newline at end of file + image: nginx:latest + initContainers: + - name: busyboxinit + image: busybox + - name: nginxinit + image: nginx:latest diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml index 679a87f5c..505688d3d 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml @@ -5,4 +5,7 @@ metadata: spec: containers: - name: busybox - image: busybox:v1.35 \ No newline at end of file + image: busybox:v1.35 + initContainers: + - name: busyboxinit + image: busybox:v1.35 diff --git a/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml b/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml index 873a0d251..03ed91c15 100644 --- a/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml +++ b/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml @@ -8,6 +8,9 @@ spec: containers: - name: nginx image: nginx:1.12 + initContainers: + - name: nginxinit + image: nginx:1.12 --- apiVersion: v1 kind: Pod @@ -19,6 +22,9 @@ spec: containers: - name: nginx image: nginx + initContainers: + - name: nginxinit + image: nginx --- apiVersion: v1 kind: Pod @@ -32,6 +38,11 @@ spec: image: busybox:1.28 - name: nginx image: nginx + initContainers: + - name: busyboxinit + image: busybox:1.28 + - name: nginxinit + image: nginx --- apiVersion: v1 kind: Pod @@ -43,6 +54,9 @@ spec: containers: - name: nginx image: nginx:latest + initContainers: + - name: nginxinit + image: nginx:latest --- apiVersion: v1 kind: Pod @@ -56,6 +70,11 @@ spec: image: busybox:1.28 - name: nginx image: nginx:latest + initContainers: + - name: busyboxinit + image: busybox:1.28 + - name: nginxinit + image: nginx:latest --- apiVersion: apps/v1 kind: Deployment @@ -77,6 +96,10 @@ spec: - image: busybox:1.28 name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox:1.28 + name: busyboxinit + command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -98,6 +121,10 @@ spec: - image: busybox name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox + name: busyboxinit + command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -119,3 +146,7 @@ spec: - image: busybox:latest name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox:latest + name: busyboxinit + command: ["sleep", "9999"] diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml index cfd7a6095..24d3bf026 100644 --- a/best-practices/disallow-latest-tag/artifacthub-pkg.yml +++ b/best-practices/disallow-latest-tag/artifacthub-pkg.yml @@ -1,6 +1,6 @@ name: disallow-latest-tag version: 1.0.0 -displayName: Disallow Latest Tag +displayName: Disallow Latest Tags createdAt: "2023-04-10T19:47:15.000Z" description: >- The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 3d19e0d8f2637eca9ad1d700f4fbf556aaa31221ff6c40698b9aadda1f41adb4 +digest: 2760272e57d9988ba447f62d23bba382092d00a5e14dbf00555e4170ea90593a diff --git a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml index c83cd565e..2f40ef15c 100644 --- a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml +++ b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml @@ -25,10 +25,16 @@ spec: - Pod validate: message: "An image tag is required." - pattern: - spec: - containers: - - image: "*:*" + foreach: + - list: "request.object.spec.containers" + pattern: + image: "*:*" + - list: "request.object.spec.initContainers" + pattern: + image: "*:*" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "*:*" - name: validate-image-tag match: any: @@ -37,7 +43,13 @@ spec: - Pod validate: message: "Using a mutable image tag e.g. 'latest' is not allowed." - pattern: - spec: - containers: - - image: "!*:latest" \ No newline at end of file + foreach: + - list: "request.object.spec.containers" + pattern: + image: "!*:latest" + - list: "request.object.spec.initContainers" + pattern: + image: "!*:latest" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "!*:latest" From e66a61aff9f75e8497a41890e10d8c5078b6cdb0 Mon Sep 17 00:00:00 2001 From: Ekambaram Pasham Date: Tue, 27 Aug 2024 03:13:20 +0530 Subject: [PATCH 8/9] Simplified CEL Expressions for Pod Security (CEL) Baseline policies (#1129) * disallow-privileged-containers policy is simplified Signed-off-by: epasham * digest value is updated in artifacthub-pkg Signed-off-by: epasham * disallow-capabilities policy is simplified Signed-off-by: epasham * digest value is updated Signed-off-by: epasham * disallow-proc-mount policy is simplified Signed-off-by: epasham * disallow-host-namespaces policy is simplified Signed-off-by: epasham * disallow-host-path is updated Signed-off-by: epasham * disallow-host-ports-range policy is simplified Signed-off-by: epasham * removed duplicate digest Signed-off-by: epasham * removed duplicate digest from artifact pkg file Signed-off-by: epasham * restrict-seccomp policy is simplified Signed-off-by: epasham * restrict-sysctls policy is simplified Signed-off-by: epasham --------- Signed-off-by: epasham Co-authored-by: epasham --- .../disallow-capabilities/artifacthub-pkg.yml | 4 +- .../disallow-capabilities.yaml | 38 ++++----------- .../artifacthub-pkg.yml | 4 +- .../disallow-host-namespaces.yaml | 6 +-- .../disallow-host-path/artifacthub-pkg.yml | 4 +- .../disallow-host-path.yaml | 2 +- .../artifacthub-pkg.yml | 4 +- .../disallow-host-ports-range.yaml | 27 +++++------ .../artifacthub-pkg.yml | 4 +- .../disallow-privileged-containers.yaml | 30 ++---------- .../disallow-proc-mount/artifacthub-pkg.yml | 4 +- .../disallow-proc-mount.yaml | 30 ++---------- .../restrict-seccomp/artifacthub-pkg.yml | 4 +- .../restrict-seccomp/restrict-seccomp.yaml | 47 ++++--------------- .../restrict-sysctls/artifacthub-pkg.yml | 4 +- .../restrict-sysctls/restrict-sysctls.yaml | 13 ++--- 16 files changed, 64 insertions(+), 161 deletions(-) diff --git a/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml index 7d4f6bd83..e1b03f650 100644 --- a/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: e5f9cbb8246d36347c0fe62768e6b62b6b323efb7dd1ac60bc8c220e641220fb -createdAt: "2023-12-03T00:22:33Z" +digest: 581bbe2061d08871889e18bc5a6f58102da467d4fa164084970d96ab2ef3c202 +createdAt: "2024-08-21T00:22:33Z" diff --git a/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml b/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml index 3084fec43..b423f426b 100644 --- a/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml +++ b/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml @@ -26,38 +26,16 @@ spec: - UPDATE validate: cel: + variables: + - name: allowedCapabilities + expression: "['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT']" + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - expression: >- - object.spec.containers.all(container, - !has(container.securityContext) || - !has(container.securityContext.capabilities) || - !has(container.securityContext.capabilities.add) || - container.securityContext.capabilities.add.all(capability, - ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) - message: >- - Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, - FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) - are disallowed. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.capabilities) || - !has(container.securityContext.capabilities.add) || - container.securityContext.capabilities.add.all(capability, - ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) - message: >- - Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, - FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) - are disallowed. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.capabilities) || - !has(container.securityContext.capabilities.add) || - container.securityContext.capabilities.add.all(capability, - ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) + variables.allContainers.all(container, + container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability == '' || + capability in variables.allowedCapabilities)) message: >- Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) diff --git a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml index 3bc6ebf30..ede51bb0e 100644 --- a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: c57ee3440401887541c2d97727fc268d5cd9eb47faf00bea2f0ca738caffe483 -createdAt: "2023-12-03T00:22:34Z" +digest: 52a739e283afddd9c023a5d0b0d8822008a2923f7c0b5544a43cb76540c2c1f9 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml b/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml index d3ac68ac1..2fafe9e33 100644 --- a/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml +++ b/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml @@ -31,9 +31,9 @@ spec: cel: expressions: - expression: >- - (!has(object.spec.hostNetwork) || object.spec.hostNetwork == false) && - (!has(object.spec.hostIPC) || object.spec.hostIPC == false) && - (!has(object.spec.hostPID) || object.spec.hostPID == false) + ( object.spec.?hostNetwork.orValue(false) == false) && + ( object.spec.?hostIPC.orValue(false) == false) && + ( object.spec.?hostPID.orValue(false) == false) message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. diff --git a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml index 522af9210..88c0ff710 100644 --- a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" -digest: 7a78c73a64e61e91876d3ee30c99e1b39774ec885e881f4ffa0be11713710031 -createdAt: "2023-12-03T00:22:34Z" +digest: e03e92172513193882011b17c9bf4d66af1637a280c0cd6d696db580eea06558 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml b/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml index 58bb7109c..faa358038 100644 --- a/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml +++ b/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml @@ -29,5 +29,5 @@ spec: validate: cel: expressions: - - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" + - expression: "object.spec.?volumes.orValue([]).all(volume, size(volume) == 0 || !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset" diff --git a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml index 300feec3e..d5c83c72c 100644 --- a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: e48d0f138fc501b4cc8726d2bc56dae5f0230b155744ea36eb08dfd5e51d823b -createdAt: "2023-12-03T00:22:34Z" +digest: 22f1d93a44d6e62c3329f6609e46b92729549be08cb157b7c1f11581527c4d48 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml index d64e350a7..b67269271 100644 --- a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml +++ b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml @@ -29,23 +29,18 @@ spec: - UPDATE validate: cel: + cel: + variables: + - name: allContainers + expression: >- + object.spec.containers + + object.spec.?initContainers.orValue([]) + + object.spec.?ephemeralContainers.orValue([]) expressions: - expression: >- - object.spec.containers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) - message: >- - The only permitted hostPorts are in the range 5000-6000. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) - message: >- - The only permitted hostPorts are in the range 5000-6000. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) + variables.allContainers.all(container, + container.?ports.orValue([]).all(port, + size(port) == 0 || + !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000) )) message: >- The only permitted hostPorts are in the range 5000-6000. diff --git a/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml index d51943d7e..346873cc6 100644 --- a/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 6ef6ef12ea3680c1d610f056ed163539debdf195bed4a3ab688599d7dfaf82e8 -createdAt: "2023-12-03T00:22:34Z" +digest: 87d401d722951d3382e4848ee597448ad3a3504749000a57ba89f7a3acd17ba7 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml b/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml index df67481c9..5046692e4 100644 --- a/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml +++ b/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml @@ -28,29 +28,9 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.privileged) || - container.securityContext.privileged == false) - message: >- - Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged - must be unset or set to `false`. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.privileged) || - container.securityContext.privileged == false) - message: >- - Privileged mode is disallowed. The fields spec.initContainers[*].securityContext.privileged - must be unset or set to `false`. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.privileged) || - container.securityContext.privileged == false) - message: >- - Privileged mode is disallowed. The fields spec.ephemeralContainers[*].securityContext.privileged - must be unset or set to `false`. + - expression: "variables.allContainers.all(container, container.?securityContext.?privileged.orValue(false) == false)" + message: "Privileged mode is disallowed. All containers must set the securityContext.privileged field to `false` or unset the field." diff --git a/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml index 8ee2a461b..92e3f88d3 100644 --- a/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: b836600d6ae7f490ba39f55df45fa599c88a5c76386ee6faf8a6609ff626179b -createdAt: "2023-12-03T00:22:33Z" +digest: e75db214f9179242625089686a02094d9dbf9ded059b1e71ff909aa0b582b1a5 +createdAt: "2024-08-21T00:22:33Z" diff --git a/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml b/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml index 42dbbcf9e..6b12ea58d 100644 --- a/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml +++ b/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml @@ -30,29 +30,9 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.procMount) || - container.securityContext.procMount == 'Default') - message: >- - Changing the proc mount from the default is not allowed. The field - spec.containers[*].securityContext.procMount must be unset or set to `Default`. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.procMount) || - container.securityContext.procMount == 'Default') - message: >- - Changing the proc mount from the default is not allowed. The field - spec.initContainers[*].securityContext.procMount must be unset or set to `Default`. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.procMount) || - container.securityContext.procMount == 'Default') - message: >- - Changing the proc mount from the default is not allowed. The field - spec.ephemeralContainers[*].securityContext.procMount must be unset or set to `Default`. + - expression: "variables.allContainers.all(container, container.?securityContext.?procMount.orValue('Default') == 'Default')" + message: "Changing the proc mount from the default is not allowed." diff --git a/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml index 359c6c7bd..33895bece 100644 --- a/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: ba179d3d3d4435152b80e3aefbae44edd59b2300cd30395cde1c0a015e135f09 -createdAt: "2023-12-03T00:22:34Z" +digest: c239371f4dd418e2410b05bbf0893d81255e0ac06fa62e169e71506123d88cf5 +createdAt: "2024-08-21T00:22:34Z" diff --git a/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml b/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml index e54a3c69b..4e74a34f6 100644 --- a/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml +++ b/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml @@ -29,45 +29,18 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + - name: allowedProfileTypes + expression: "['RuntimeDefault', 'Localhost']" expressions: - expression: >- - !has(object.spec.securityContext) || - !has(object.spec.securityContext.seccompProfile) || - !has(object.spec.securityContext.seccompProfile.type) || - object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' || - object.spec.securityContext.seccompProfile.type == 'Localhost' - message: >- - Use of custom Seccomp profiles is disallowed. The field - spec.securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. - - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.seccompProfile) || - !has(container.securityContext.seccompProfile.type) || - container.securityContext.seccompProfile.type == 'RuntimeDefault' || - container.securityContext.seccompProfile.type == 'Localhost') + (object.spec.?securityContext.?seccompProfile.?type.orValue('Localhost') + in variables.allowedProfileTypes) && + (variables.allContainers.all(container, + container.?securityContext.?seccompProfile.?type.orValue('Localhost') + in variables.allowedProfileTypes)) message: >- Use of custom Seccomp profiles is disallowed. The field spec.containers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.seccompProfile) || - !has(container.securityContext.seccompProfile.type) || - container.securityContext.seccompProfile.type == 'RuntimeDefault' || - container.securityContext.seccompProfile.type == 'Localhost') - message: >- - Use of custom Seccomp profiles is disallowed. The field - spec.initContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.seccompProfile) || - !has(container.securityContext.seccompProfile.type) || - container.securityContext.seccompProfile.type == 'RuntimeDefault' || - container.securityContext.seccompProfile.type == 'Localhost') - message: >- - Use of custom Seccomp profiles is disallowed. The field - spec.ephemeralContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. diff --git a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml index 737e81be9..98cfe547e 100644 --- a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 97f75f8cdd2e3ee9f9696cdceccc34cf0df5edbca0e3bbab76572494a26ce6e8 -createdAt: "2023-12-03T00:22:33Z" +digest: 451731aeba70f3c37f7a58cc1ba47b7fed8ffc8971e4a664c81406004f93b61c +createdAt: "2024-08-21T00:22:33Z" diff --git a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml index d564df539..294685d36 100644 --- a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml +++ b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml @@ -32,16 +32,13 @@ spec: - UPDATE validate: cel: + variables: + - name: allowedSysctls + expression: "['kernel.shm_rmid_forced','net.ipv4.ip_local_port_range','net.ipv4.ip_unprivileged_port_start','net.ipv4.tcp_syncookies','net.ipv4.ping_group_range']" expressions: - expression: >- - !has(object.spec.securityContext) || - !has(object.spec.securityContext.sysctls) || - object.spec.securityContext.sysctls.all(sysctl, !has(sysctl.name) || - sysctl.name == 'kernel.shm_rmid_forced' || - sysctl.name == 'net.ipv4.ip_local_port_range' || - sysctl.name == 'net.ipv4.ip_unprivileged_port_start' || - sysctl.name == 'net.ipv4.tcp_syncookies' || - sysctl.name == 'net.ipv4.ping_group_range') + object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, sysctl == '' || + has(sysctl.name) && sysctl.name in variables.allowedSysctls) message: >- Setting additional sysctls above the allowed type is disallowed. The field spec.securityContext.sysctls must be unset or not use any other names From 6a8795cb6e8f3e1f6185b39b510bae69e1bd65fa Mon Sep 17 00:00:00 2001 From: siddhikhapare <81567515+siddhikhapare@users.noreply.github.com> Date: Tue, 27 Aug 2024 03:21:29 +0530 Subject: [PATCH 9/9] Updated cel expression of selinux (#1122) Signed-off-by: siddhikhapare Co-authored-by: Jim Bugwadia --- .../disallow-selinux/artifacthub-pkg.yml | 2 +- .../disallow-selinux/disallow-selinux.yaml | 91 +++++-------------- 2 files changed, 23 insertions(+), 70 deletions(-) diff --git a/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml index a0d6fa163..2588b4ebe 100644 --- a/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: d842a1741805d9480e9a571a80117f4e2c6210b0d984d1c22e54545c3df9dd0d +digest: 03aa7b1e6017f42e75639c61a6593e1ac241ba1f158b72eaa8751c60b6c9d0f5 createdAt: "2023-12-03T00:22:33Z" diff --git a/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml b/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml index 983ebe1f1..b78bbd4ce 100644 --- a/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml +++ b/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml @@ -28,52 +28,24 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainerTypes + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + - name: seLinuxTypes + expression: "['container_t', 'container_init_t', 'container_kvm_t']" expressions: - - expression: >- - !has(object.spec.securityContext) || + - expression: >- + (!has(object.spec.securityContext) || !has(object.spec.securityContext.seLinuxOptions) || !has(object.spec.securityContext.seLinuxOptions.type) || - object.spec.securityContext.seLinuxOptions.type == 'container_t' || - object.spec.securityContext.seLinuxOptions.type == 'container_init_t' || - object.spec.securityContext.seLinuxOptions.type == 'container_kvm_t' - message: >- - Setting the SELinux type is restricted. The field spec.securityContext.seLinuxOptions.type - must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). - - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.seLinuxOptions) || - !has(container.securityContext.seLinuxOptions.type) || - container.securityContext.seLinuxOptions.type == 'container_t' || - container.securityContext.seLinuxOptions.type == 'container_init_t' || - container.securityContext.seLinuxOptions.type == 'container_kvm_t') - message: >- - Setting the SELinux type is restricted. The field spec.containers[*].securityContext.seLinuxOptions.type - must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.seLinuxOptions) || - !has(container.securityContext.seLinuxOptions.type) || - container.securityContext.seLinuxOptions.type == 'container_t' || - container.securityContext.seLinuxOptions.type == 'container_init_t' || - container.securityContext.seLinuxOptions.type == 'container_kvm_t') - message: >- - Setting the SELinux type is restricted. The field spec.initContainers[*].securityContext.seLinuxOptions.type - must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + variables.seLinuxTypes.exists(type, type == object.spec.securityContext.seLinuxOptions.type)) && + variables.allContainerTypes.all(container, + !has(container.securityContext) || !has(container.securityContext.seLinuxOptions) || !has(container.securityContext.seLinuxOptions.type) || - container.securityContext.seLinuxOptions.type == 'container_t' || - container.securityContext.seLinuxOptions.type == 'container_init_t' || - container.securityContext.seLinuxOptions.type == 'container_kvm_t') + variables.seLinuxTypes.exists(type, type == container.securityContext.seLinuxOptions.type)) message: >- - Setting the SELinux type is restricted. The field spec.ephemeralContainers[*].securityContext.seLinuxOptions.type - must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). + Setting the SELinux type is restricted. The field securityContext.seLinuxOptions.type must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). - name: selinux-user-role match: any: @@ -85,37 +57,18 @@ spec: - UPDATE validate: cel: + variables: + - name: allContainerTypes + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: >- - !has(object.spec.securityContext) || + - expression: >- + (!has(object.spec.securityContext) || !has(object.spec.securityContext.seLinuxOptions) || - (!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role)) - message: >- - Setting the SELinux user or role is forbidden. The fields - spec.securityContext.seLinuxOptions.user and spec.securityContext.seLinuxOptions.role must be unset. - - - expression: >- - object.spec.containers.all(container, !has(container.securityContext) || - !has(container.securityContext.seLinuxOptions) || - (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role))) - message: >- - Setting the SELinux user or role is forbidden. The fields - spec.containers[*].securityContext.seLinuxOptions.user and spec.containers[*].securityContext.seLinuxOptions.role must be unset. - - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.securityContext) || - !has(container.securityContext.seLinuxOptions) || - (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role))) - message: >- - Setting the SELinux user or role is forbidden. The fields - spec.initContainers[*].securityContext.seLinuxOptions.user and spec.initContainers[*].securityContext.seLinuxOptions.role must be unset. - - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + (!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role))) && + variables.allContainerTypes.all(container, + !has(container.securityContext) || !has(container.securityContext.seLinuxOptions) || (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role))) message: >- - Setting the SELinux user or role is forbidden. The fields - spec.ephemeralContainers[*].securityContext.seLinuxOptions.user and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role must be unset. + Setting the SELinux user or role is forbidden. The fields seLinuxOptions.user and seLinuxOptions.role must be unset. + \ No newline at end of file