Exclude UPDATE operations in constraints for immutable fields (#348)

* Add Rego library for excluding UPDATE and PATCH operations

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

* Exclude UPDATE and PATCH operations in constraints for immutable fields

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

* make generate-all

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

* Exclude `UPDATE` operation only

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

* make generate-all

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

* Add tests for constraint templates

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

* Add tests for constraints

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

* make generate-all

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

* Remove unnecessary future.keywords.in import

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

* Apply suggestions from code review

Co-authored-by: Andrew Peabody <andrewpeabody@google.com>
Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

* make generate-all

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>

---------

Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
Co-authored-by: Andrew Peabody <andrewpeabody@google.com>

artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspautomountserviceaccounttokenpod
+displayName: Automount Service Account Token for Pod
+createdAt: "2023-05-23T09:47:24Z"
+description: Controls the ability of any Pod to enable automountServiceAccountToken.
+digest: 8b62e4b2324e9e60a66008e6edcc327bcd2b531d3a905f10bf25a1671079ce6e
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/automount-serviceaccount-token
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Automount Service Account Token for Pod
+    Controls the ability of any Pod to enable automountServiceAccountToken.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml

@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPAutomountServiceAccountTokenPod
+metadata:
+  name: psp-automount-serviceaccount-token-pod
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    excludedNamespaces: ["kube-system"]

artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-automountserviceaccounttoken-allowed
+  labels:
+    app: nginx-not-automountserviceaccounttoken
+spec:
+  automountServiceAccountToken: false
+  containers:
+  - name: nginx
+    image: nginx

artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-automountserviceaccounttoken-disallowed
+  labels:
+    app: nginx-automountserviceaccounttoken
+spec:
+  automountServiceAccountToken: true
+  containers:
+  - name: nginx
+    image: nginx

artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml

@@ -0,0 +1,16 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+  operation: "UPDATE"
+  object:
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: nginx-automountserviceaccounttoken-update
+      labels:
+        app: nginx-automountserviceaccounttoken
+    spec:
+      automountServiceAccountToken: true
+      containers:
+        - name: nginx
+          image: nginx

artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml

@@ -0,0 +1,21 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: automount-serviceaccount-token
+tests:
+  - name: automount-serviceaccount-token
+    template: template.yaml
+    constraint: samples/automount-serviceaccount-token/constraint.yaml
+    cases:
+      - name: example-allowed
+        object: samples/automount-serviceaccount-token/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: example-disallowed
+        object: samples/automount-serviceaccount-token/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: update
+        object: samples/automount-serviceaccount-token/update.yaml
+        assertions:
+          - violations: no

artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml

@@ -0,0 +1,66 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8spspautomountserviceaccounttokenpod
+  annotations:
+    metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod"
+    metadata.gatekeeper.sh/version: 1.0.1
+    description: >-
+      Controls the ability of any Pod to enable automountServiceAccountToken.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sPSPAutomountServiceAccountTokenPod
+      validation:
+        openAPIV3Schema:
+          type: object
+          description: >-
+            Controls the ability of any Pod to enable automountServiceAccountToken.
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sautomountserviceaccounttoken
+
+        import data.lib.exclude_update.is_update
+
+        violation[{"msg": msg}] {
+            # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable.
+            not is_update(input.review)
+
+            obj := input.review.object
+            mountServiceAccountToken(obj.spec)
+            msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name])
+        }
+
+        mountServiceAccountToken(spec) {
+            spec.automountServiceAccountToken == true
+        }
+
+        # if there is no automountServiceAccountToken spec, check on volumeMount in containers. Service Account token is mounted on /var/run/secrets/kubernetes.io/serviceaccount
+        # https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller
+        mountServiceAccountToken(spec) {
+            not has_key(spec, "automountServiceAccountToken")
+            "/var/run/secrets/kubernetes.io/serviceaccount" == input_containers[_].volumeMounts[_].mountPath
+        }
+
+        input_containers[c] {
+            c := input.review.object.spec.containers[_]
+        }
+
+        input_containers[c] {
+            c := input.review.object.spec.initContainers[_]
+        }
+
+        # Ephemeral containers not checked as it is not possible to set field.
+
+        has_key(x, k) {
+            _ = x[k]
+        }
+      libs:
+        - |
+          package lib.exclude_update
+
+          is_update(review) {
+              review.operation == "UPDATE"
+          }

artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml

@@ -0,0 +1,25 @@
+version: 1.0.1
+name: k8scontainerephemeralstoragelimit
+displayName: Container ephemeral storage limit
+createdAt: "2023-05-23T09:47:27Z"
+description: |-
+    Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.
+    https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+digest: 84077f1dbcdcab9a7c20710e82299995e44294fccdb1a5b9de63fb5a5032a6d8
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/ephemeralstoragelimit
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Container ephemeral storage limit
+    Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.
+    https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml

@@ -0,0 +1,11 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sContainerEphemeralStorageLimit
+metadata:
+  name: container-ephemeral-storage-limit
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    ephemeral-storage: "500Mi"

artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-allowed
+  labels:
+    owner: me.agilebank.demo
+spec:
+  initContainers:
+    - name: init-opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "1Gi"
+          ephemeral-storage: "100Mi"
+
+
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "1Gi"
+          ephemeral-storage: "100Mi"

artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-allowed
+  labels:
+    owner: me.agilebank.demo
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "1Gi"
+
+          ephemeral-storage: "100Mi"

artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-disallowed
+  labels:
+    owner: me.agilebank.demo
+spec:
+  initContainers:
+    - name: init-opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "1Gi"
+          ephemeral-storage: "1Pi"
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "1Gi"
+          ephemeral-storage: "100Mi"

artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-disallowed
+  labels:
+    owner: me.agilebank.demo
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "1Gi"
+
+          ephemeral-storage: "1Pi"

artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-disallowed
+  labels:
+    owner: me.agilebank.demo
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "2Gi"

artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml

@@ -0,0 +1,24 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+  operation: "UPDATE"
+  object:
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: opa-allowed
+      labels:
+        owner: me.agilebank.demo
+    spec:
+      containers:
+        - name: opa
+          image: openpolicyagent/opa:0.9.2
+          args:
+            - "run"
+            - "--server"
+            - "--addr=localhost:8080"
+          resources:
+            limits:
+              cpu: "100m"
+              memory: "1Gi"
+              ephemeral-storage: "1Pi"

artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml

@@ -0,0 +1,33 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: ephemeral-storage-limit
+tests:
+- name: ephemeral-storage-limit
+  template: template.yaml
+  constraint: samples/container-must-have-ephemeral-storage-limit/constraint.yaml
+  cases:
+  - name: ephemeral-storage-limit-100Mi
+    object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml
+    assertions:
+    - violations: no
+  - name: ephemeral-storage-limit-initContainer-100Mi
+    object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml
+    assertions:
+    - violations: no
+  - name: ephemeral-storage-limit-unspecified
+    object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml
+    assertions:
+    - violations: yes
+  - name: ephemeral-storage-limit-1Pi
+    object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml
+    assertions:
+    - violations: yes
+  - name: ephemeral-storage-limit-initContainer-1Pi
+    object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
+    assertions:
+    - violations: yes
+  - name: ephemeral-storage-limit-update
+    object: samples/container-must-have-ephemeral-storage-limit/update.yaml
+    assertions:
+    - violations: no