-
Notifications
You must be signed in to change notification settings - Fork 320
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
- Loading branch information
Showing
203 changed files
with
4,109 additions
and
51 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
version: 1.0.1 | ||
name: k8spspautomountserviceaccounttokenpod | ||
displayName: Automount Service Account Token for Pod | ||
createdAt: "2023-05-23T09:05:02Z" | ||
description: Controls the ability of any Pod to enable automountServiceAccountToken. | ||
digest: 37fb0a86a97fefe327e1e89a9b4df69b22d7844aa1545008185a1817b1ba1c82 | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/automount-serviceaccount-token | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# Automount Service Account Token for Pod | ||
Controls the ability of any Pod to enable automountServiceAccountToken. | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
10 changes: 10 additions & 0 deletions
10
...tomount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sPSPAutomountServiceAccountTokenPod | ||
metadata: | ||
name: psp-automount-serviceaccount-token-pod | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] | ||
excludedNamespaces: ["kube-system"] |
11 changes: 11 additions & 0 deletions
11
...nt-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-automountserviceaccounttoken-allowed | ||
labels: | ||
app: nginx-not-automountserviceaccounttoken | ||
spec: | ||
automountServiceAccountToken: false | ||
containers: | ||
- name: nginx | ||
image: nginx |
11 changes: 11 additions & 0 deletions
11
...serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-automountserviceaccounttoken-disallowed | ||
labels: | ||
app: nginx-automountserviceaccounttoken | ||
spec: | ||
automountServiceAccountToken: true | ||
containers: | ||
- name: nginx | ||
image: nginx |
17 changes: 17 additions & 0 deletions
17
artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: automount-serviceaccount-token | ||
tests: | ||
- name: automount-serviceaccount-token | ||
template: template.yaml | ||
constraint: samples/automount-serviceaccount-token/constraint.yaml | ||
cases: | ||
- name: example-allowed | ||
object: samples/automount-serviceaccount-token/example_allowed.yaml | ||
assertions: | ||
- violations: no | ||
- name: example-disallowed | ||
object: samples/automount-serviceaccount-token/example_disallowed.yaml | ||
assertions: | ||
- violations: yes |
59 changes: 59 additions & 0 deletions
59
artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8spspautomountserviceaccounttokenpod | ||
annotations: | ||
metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod" | ||
metadata.gatekeeper.sh/version: 1.0.1 | ||
description: >- | ||
Controls the ability of any Pod to enable automountServiceAccountToken. | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sPSPAutomountServiceAccountTokenPod | ||
validation: | ||
openAPIV3Schema: | ||
type: object | ||
description: >- | ||
Controls the ability of any Pod to enable automountServiceAccountToken. | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
rego: | | ||
package k8sautomountserviceaccounttoken | ||
import data.lib.exclude_update_patch.is_update_or_patch | ||
violation[{"msg": msg}] { | ||
# spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable. | ||
not is_update_or_patch(input.review) | ||
obj := input.review.object | ||
mountServiceAccountToken(obj.spec) | ||
msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name]) | ||
} | ||
mountServiceAccountToken(spec) { | ||
spec.automountServiceAccountToken == true | ||
} | ||
# if there is no automountServiceAccountToken spec, check on volumeMount in containers. Service Account token is mounted on /var/run/secrets/kubernetes.io/serviceaccount | ||
# https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller | ||
mountServiceAccountToken(spec) { | ||
not has_key(spec, "automountServiceAccountToken") | ||
"/var/run/secrets/kubernetes.io/serviceaccount" == input_containers[_].volumeMounts[_].mountPath | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.containers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.initContainers[_] | ||
} | ||
# Ephemeral containers not checked as it is not possible to set field. | ||
has_key(x, k) { | ||
_ = x[k] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 25 additions & 0 deletions
25
artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
version: 1.0.1 | ||
name: k8scontainerephemeralstoragelimit | ||
displayName: Container ephemeral storage limit | ||
createdAt: "2023-05-23T09:05:05Z" | ||
description: |- | ||
Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. | ||
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | ||
digest: 2e9113ce2a7115ccc27f8e476557181acdd5d18fa33b4fd4c9906ee9357bd662 | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/ephemeralstoragelimit | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# Container ephemeral storage limit | ||
Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values. | ||
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
11 changes: 11 additions & 0 deletions
11
...ralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sContainerEphemeralStorageLimit | ||
metadata: | ||
name: container-ephemeral-storage-limit | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] | ||
parameters: | ||
ephemeral-storage: "500Mi" |
33 changes: 33 additions & 0 deletions
33
...er-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: opa-allowed | ||
labels: | ||
owner: me.agilebank.demo | ||
spec: | ||
initContainers: | ||
- name: init-opa | ||
image: openpolicyagent/opa:0.9.2 | ||
args: | ||
- "run" | ||
- "--server" | ||
- "--addr=localhost:8080" | ||
resources: | ||
limits: | ||
cpu: "100m" | ||
memory: "1Gi" | ||
ephemeral-storage: "100Mi" | ||
|
||
|
||
containers: | ||
- name: opa | ||
image: openpolicyagent/opa:0.9.2 | ||
args: | ||
- "run" | ||
- "--server" | ||
- "--addr=localhost:8080" | ||
resources: | ||
limits: | ||
cpu: "100m" | ||
memory: "1Gi" | ||
ephemeral-storage: "100Mi" |
20 changes: 20 additions & 0 deletions
20
...amples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: opa-allowed | ||
labels: | ||
owner: me.agilebank.demo | ||
spec: | ||
containers: | ||
- name: opa | ||
image: openpolicyagent/opa:0.9.2 | ||
args: | ||
- "run" | ||
- "--server" | ||
- "--addr=localhost:8080" | ||
resources: | ||
limits: | ||
cpu: "100m" | ||
memory: "1Gi" | ||
|
||
ephemeral-storage: "100Mi" |
31 changes: 31 additions & 0 deletions
31
...ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: opa-disallowed | ||
labels: | ||
owner: me.agilebank.demo | ||
spec: | ||
initContainers: | ||
- name: init-opa | ||
image: openpolicyagent/opa:0.9.2 | ||
args: | ||
- "run" | ||
- "--server" | ||
- "--addr=localhost:8080" | ||
resources: | ||
limits: | ||
cpu: "100m" | ||
memory: "1Gi" | ||
ephemeral-storage: "1Pi" | ||
containers: | ||
- name: opa | ||
image: openpolicyagent/opa:0.9.2 | ||
args: | ||
- "run" | ||
- "--server" | ||
- "--addr=localhost:8080" | ||
resources: | ||
limits: | ||
cpu: "100m" | ||
memory: "1Gi" | ||
ephemeral-storage: "100Mi" |
20 changes: 20 additions & 0 deletions
20
...ner-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: opa-disallowed | ||
labels: | ||
owner: me.agilebank.demo | ||
spec: | ||
containers: | ||
- name: opa | ||
image: openpolicyagent/opa:0.9.2 | ||
args: | ||
- "run" | ||
- "--server" | ||
- "--addr=localhost:8080" | ||
resources: | ||
limits: | ||
cpu: "100m" | ||
memory: "1Gi" | ||
|
||
ephemeral-storage: "1Pi" |
18 changes: 18 additions & 0 deletions
18
...-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: opa-disallowed | ||
labels: | ||
owner: me.agilebank.demo | ||
spec: | ||
containers: | ||
- name: opa | ||
image: openpolicyagent/opa:0.9.2 | ||
args: | ||
- "run" | ||
- "--server" | ||
- "--addr=localhost:8080" | ||
resources: | ||
limits: | ||
cpu: "100m" | ||
memory: "2Gi" |
29 changes: 29 additions & 0 deletions
29
artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: ephemeral-storage-limit | ||
tests: | ||
- name: ephemeral-storage-limit | ||
template: template.yaml | ||
constraint: samples/container-must-have-ephemeral-storage-limit/constraint.yaml | ||
cases: | ||
- name: ephemeral-storage-limit-100Mi | ||
object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml | ||
assertions: | ||
- violations: no | ||
- name: ephemeral-storage-limit-initContainer-100Mi | ||
object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml | ||
assertions: | ||
- violations: no | ||
- name: ephemeral-storage-limit-unspecified | ||
object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml | ||
assertions: | ||
- violations: yes | ||
- name: ephemeral-storage-limit-1Pi | ||
object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml | ||
assertions: | ||
- violations: yes | ||
- name: ephemeral-storage-limit-initContainer-1Pi | ||
object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml | ||
assertions: | ||
- violations: yes |
Oops, something went wrong.