diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..e0c4caf20
--- /dev/null
+++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspautomountserviceaccounttokenpod
+displayName: Automount Service Account Token for Pod
+createdAt: "2023-05-23T09:47:24Z"
+description: Controls the ability of any Pod to enable automountServiceAccountToken.
+digest: 8b62e4b2324e9e60a66008e6edcc327bcd2b531d3a905f10bf25a1671079ce6e
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/automount-serviceaccount-token
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Automount Service Account Token for Pod
+ Controls the ability of any Pod to enable automountServiceAccountToken.
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml
new file mode 100644
index 000000000..1f70295fd
--- /dev/null
+++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/constraint.yaml
@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPAutomountServiceAccountTokenPod
+metadata:
+ name: psp-automount-serviceaccount-token-pod
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ excludedNamespaces: ["kube-system"]
diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml
new file mode 100644
index 000000000..7ceba9c34
--- /dev/null
+++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_allowed.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-automountserviceaccounttoken-allowed
+ labels:
+ app: nginx-not-automountserviceaccounttoken
+spec:
+ automountServiceAccountToken: false
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml
new file mode 100644
index 000000000..6184264ec
--- /dev/null
+++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/example_disallowed.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-automountserviceaccounttoken-disallowed
+ labels:
+ app: nginx-automountserviceaccounttoken
+spec:
+ automountServiceAccountToken: true
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml
new file mode 100644
index 000000000..0e9030f27
--- /dev/null
+++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/samples/automount-serviceaccount-token/update.yaml
@@ -0,0 +1,16 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-automountserviceaccounttoken-update
+ labels:
+ app: nginx-automountserviceaccounttoken
+ spec:
+ automountServiceAccountToken: true
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml
new file mode 100644
index 000000000..cf257d08f
--- /dev/null
+++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/suite.yaml
@@ -0,0 +1,21 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: automount-serviceaccount-token
+tests:
+ - name: automount-serviceaccount-token
+ template: template.yaml
+ constraint: samples/automount-serviceaccount-token/constraint.yaml
+ cases:
+ - name: example-allowed
+ object: samples/automount-serviceaccount-token/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: example-disallowed
+ object: samples/automount-serviceaccount-token/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/automount-serviceaccount-token/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml
new file mode 100644
index 000000000..82e69ff9c
--- /dev/null
+++ b/artifacthub/library/general/automount-serviceaccount-token/1.0.1/template.yaml
@@ -0,0 +1,66 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspautomountserviceaccounttokenpod
+ annotations:
+ metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Controls the ability of any Pod to enable automountServiceAccountToken.
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPAutomountServiceAccountTokenPod
+ validation:
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls the ability of any Pod to enable automountServiceAccountToken.
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8sautomountserviceaccounttoken
+
+ import data.lib.exclude_update.is_update
+
+ violation[{"msg": msg}] {
+ # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable.
+ not is_update(input.review)
+
+ obj := input.review.object
+ mountServiceAccountToken(obj.spec)
+ msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name])
+ }
+
+ mountServiceAccountToken(spec) {
+ spec.automountServiceAccountToken == true
+ }
+
+ # if there is no automountServiceAccountToken spec, check on volumeMount in containers. Service Account token is mounted on /var/run/secrets/kubernetes.io/serviceaccount
+ # https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller
+ mountServiceAccountToken(spec) {
+ not has_key(spec, "automountServiceAccountToken")
+ "/var/run/secrets/kubernetes.io/serviceaccount" == input_containers[_].volumeMounts[_].mountPath
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.containers[_]
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.initContainers[_]
+ }
+
+ # Ephemeral containers not checked as it is not possible to set field.
+
+ has_key(x, k) {
+ _ = x[k]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..d9b57afb0
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,25 @@
+version: 1.0.1
+name: k8scontainerephemeralstoragelimit
+displayName: Container ephemeral storage limit
+createdAt: "2023-05-23T09:47:27Z"
+description: |-
+ Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.
+ https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+digest: 84077f1dbcdcab9a7c20710e82299995e44294fccdb1a5b9de63fb5a5032a6d8
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/ephemeralstoragelimit
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Container ephemeral storage limit
+ Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.
+ https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml
new file mode 100644
index 000000000..4575bdf60
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/constraint.yaml
@@ -0,0 +1,11 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sContainerEphemeralStorageLimit
+metadata:
+ name: container-ephemeral-storage-limit
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ ephemeral-storage: "500Mi"
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml
new file mode 100644
index 000000000..fe1b7bac0
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: opa-allowed
+ labels:
+ owner: me.agilebank.demo
+spec:
+ initContainers:
+ - name: init-opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "1Gi"
+ ephemeral-storage: "100Mi"
+
+
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "1Gi"
+ ephemeral-storage: "100Mi"
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml
new file mode 100644
index 000000000..3c1f5ce9e
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: opa-allowed
+ labels:
+ owner: me.agilebank.demo
+spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "1Gi"
+
+ ephemeral-storage: "100Mi"
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
new file mode 100644
index 000000000..05d512d3c
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: opa-disallowed
+ labels:
+ owner: me.agilebank.demo
+spec:
+ initContainers:
+ - name: init-opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "1Gi"
+ ephemeral-storage: "1Pi"
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "1Gi"
+ ephemeral-storage: "100Mi"
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml
new file mode 100644
index 000000000..7dae0395b
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: opa-disallowed
+ labels:
+ owner: me.agilebank.demo
+spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "1Gi"
+
+ ephemeral-storage: "1Pi"
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml
new file mode 100644
index 000000000..6e81b1118
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: opa-disallowed
+ labels:
+ owner: me.agilebank.demo
+spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "2Gi"
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml
new file mode 100644
index 000000000..c0ff27893
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/samples/container-must-have-ephemeral-storage-limit/update.yaml
@@ -0,0 +1,24 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: opa-allowed
+ labels:
+ owner: me.agilebank.demo
+ spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "1Gi"
+ ephemeral-storage: "1Pi"
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml
new file mode 100644
index 000000000..a6b99410d
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/suite.yaml
@@ -0,0 +1,33 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: ephemeral-storage-limit
+tests:
+- name: ephemeral-storage-limit
+ template: template.yaml
+ constraint: samples/container-must-have-ephemeral-storage-limit/constraint.yaml
+ cases:
+ - name: ephemeral-storage-limit-100Mi
+ object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage.yaml
+ assertions:
+ - violations: no
+ - name: ephemeral-storage-limit-initContainer-100Mi
+ object: samples/container-must-have-ephemeral-storage-limit/example_allowed_ephemeral-storage-initContainer.yaml
+ assertions:
+ - violations: no
+ - name: ephemeral-storage-limit-unspecified
+ object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_unspecified.yaml
+ assertions:
+ - violations: yes
+ - name: ephemeral-storage-limit-1Pi
+ object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi.yaml
+ assertions:
+ - violations: yes
+ - name: ephemeral-storage-limit-initContainer-1Pi
+ object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
+ assertions:
+ - violations: yes
+ - name: ephemeral-storage-limit-update
+ object: samples/container-must-have-ephemeral-storage-limit/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml
new file mode 100644
index 000000000..2f7bf1b2b
--- /dev/null
+++ b/artifacthub/library/general/ephemeralstoragelimit/1.0.1/template.yaml
@@ -0,0 +1,232 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8scontainerephemeralstoragelimit
+ annotations:
+ metadata.gatekeeper.sh/title: "Container ephemeral storage limit"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Requires containers to have an ephemeral storage limit set and constrains
+ the limit to be within the specified maximum values.
+
+ https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sContainerEphemeralStorageLimit
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ ephemeral-storage:
+ description: "The maximum allowed ephemeral storage limit on a Pod, exclusive."
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8scontainerephemeralstoragelimit
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ missing(obj, field) = true {
+ not obj[field]
+ }
+
+ missing(obj, field) = true {
+ obj[field] == ""
+ }
+
+ has_field(object, field) = true {
+ object[field]
+ }
+
+ # 10 ** 21
+ storage_multiple("E") = 1000000000000000000000 { true }
+
+ # 10 ** 18
+ storage_multiple("P") = 1000000000000000000 { true }
+
+ # 10 ** 15
+ storage_multiple("T") = 1000000000000000 { true }
+
+ # 10 ** 12
+ storage_multiple("G") = 1000000000000 { true }
+
+ # 10 ** 9
+ storage_multiple("M") = 1000000000 { true }
+
+ # 10 ** 6
+ storage_multiple("k") = 1000000 { true }
+
+ # 10 ** 3
+ storage_multiple("") = 1000 { true }
+
+ # Kubernetes accepts millibyte precision when it probably shouldn't.
+ # https://github.com/kubernetes/kubernetes/issues/28741
+ # 10 ** 0
+ storage_multiple("m") = 1 { true }
+
+ # 1000 * 2 ** 10
+ storage_multiple("Ki") = 1024000 { true }
+
+ # 1000 * 2 ** 20
+ storage_multiple("Mi") = 1048576000 { true }
+
+ # 1000 * 2 ** 30
+ storage_multiple("Gi") = 1073741824000 { true }
+
+ # 1000 * 2 ** 40
+ storage_multiple("Ti") = 1099511627776000 { true }
+
+ # 1000 * 2 ** 50
+ storage_multiple("Pi") = 1125899906842624000 { true }
+
+ # 1000 * 2 ** 60
+ storage_multiple("Ei") = 1152921504606846976000 { true }
+
+ get_suffix(storage) = suffix {
+ not is_string(storage)
+ suffix := ""
+ }
+
+ get_suffix(storage) = suffix {
+ is_string(storage)
+ count(storage) > 0
+ suffix := substring(storage, count(storage) - 1, -1)
+ storage_multiple(suffix)
+ }
+
+ get_suffix(storage) = suffix {
+ is_string(storage)
+ count(storage) > 1
+ suffix := substring(storage, count(storage) - 2, -1)
+ storage_multiple(suffix)
+ }
+
+ get_suffix(storage) = suffix {
+ is_string(storage)
+ count(storage) > 1
+ not storage_multiple(substring(storage, count(storage) - 1, -1))
+ not storage_multiple(substring(storage, count(storage) - 2, -1))
+ suffix := ""
+ }
+
+ get_suffix(storage) = suffix {
+ is_string(storage)
+ count(storage) == 1
+ not storage_multiple(substring(storage, count(storage) - 1, -1))
+ suffix := ""
+ }
+
+ get_suffix(storage) = suffix {
+ is_string(storage)
+ count(storage) == 0
+ suffix := ""
+ }
+
+ canonify_storage(orig) = new {
+ is_number(orig)
+ new := orig * 1000
+ }
+
+ canonify_storage(orig) = new {
+ not is_number(orig)
+ suffix := get_suffix(orig)
+ raw := replace(orig, suffix, "")
+ re_match("^[0-9]+(\\.[0-9]+)?$", raw)
+ new := to_number(raw) * storage_multiple(suffix)
+ }
+
+ violation[{"msg": msg}] {
+ # spec.containers.resources.limits["ephemeral-storage"] field is immutable.
+ not is_update(input.review)
+
+ general_violation[{"msg": msg, "field": "containers"}]
+ }
+
+ violation[{"msg": msg}] {
+ not is_update(input.review)
+ general_violation[{"msg": msg, "field": "initContainers"}]
+ }
+
+ # Ephemeral containers not checked as it is not possible to set field.
+
+ general_violation[{"msg": msg, "field": field}] {
+ container := input.review.object.spec[field][_]
+ not is_exempt(container)
+ storage_orig := container.resources.limits["ephemeral-storage"]
+ not canonify_storage(storage_orig)
+ msg := sprintf("container <%v> ephemeral-storage limit <%v> could not be parsed", [container.name, storage_orig])
+ }
+
+ general_violation[{"msg": msg, "field": field}] {
+ container := input.review.object.spec[field][_]
+ not is_exempt(container)
+ not container.resources
+ msg := sprintf("container <%v> has no resource limits", [container.name])
+ }
+
+ general_violation[{"msg": msg, "field": field}] {
+ container := input.review.object.spec[field][_]
+ not is_exempt(container)
+ not container.resources.limits
+ msg := sprintf("container <%v> has no resource limits", [container.name])
+ }
+
+ general_violation[{"msg": msg, "field": field}] {
+ container := input.review.object.spec[field][_]
+ not is_exempt(container)
+ missing(container.resources.limits, "ephemeral-storage")
+ msg := sprintf("container <%v> has no ephemeral-storage limit", [container.name])
+ }
+
+ general_violation[{"msg": msg, "field": field}] {
+ container := input.review.object.spec[field][_]
+ not is_exempt(container)
+ storage_orig := container.resources.limits["ephemeral-storage"]
+ storage := canonify_storage(storage_orig)
+ max_storage_orig := input.parameters["ephemeral-storage"]
+ max_storage := canonify_storage(max_storage_orig)
+ storage > max_storage
+ msg := sprintf("container <%v> ephemeral-storage limit <%v> is higher than the maximum allowed of <%v>", [container.name, storage_orig, max_storage_orig])
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml b/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..e176a3b0d
--- /dev/null
+++ b/artifacthub/library/general/requiredprobes/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8srequiredprobes
+displayName: Required Probes
+createdAt: "2023-05-23T09:47:30Z"
+description: Requires Pods to have readiness and/or liveness probes.
+digest: 217bec367754aadcce3929828825aca968030e4219045d659553a9cc0173d18d
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/requiredprobes
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Required Probes
+ Requires Pods to have readiness and/or liveness probes.
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/requiredprobes/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/general/requiredprobes/1.0.1/kustomization.yaml b/artifacthub/library/general/requiredprobes/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/general/requiredprobes/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/constraint.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/constraint.yaml
new file mode 100644
index 000000000..84fde016a
--- /dev/null
+++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/constraint.yaml
@@ -0,0 +1,12 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredProbes
+metadata:
+ name: must-have-probes
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ probes: ["readinessProbe", "livenessProbe"]
+ probeTypes: ["tcpSocket", "httpGet", "exec"]
diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_allowed.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_allowed.yaml
new file mode 100644
index 000000000..4248b67dd
--- /dev/null
+++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_allowed.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: test-pod1
+spec:
+ containers:
+ - name: tomcat
+ image: tomcat
+ ports:
+ - containerPort: 8080
+ livenessProbe:
+ tcpSocket:
+ port: 80
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ readinessProbe:
+ tcpSocket:
+ port: 8080
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ volumes:
+ - name: cache-volume
+ emptyDir: {}
diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed.yaml
new file mode 100644
index 000000000..6db251904
--- /dev/null
+++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: test-pod1
+spec:
+ containers:
+ - name: nginx-1
+ image: nginx:1.7.9
+ ports:
+ - containerPort: 80
+ livenessProbe:
+ # tcpSocket:
+ # port: 80
+ # initialDelaySeconds: 5
+ # periodSeconds: 10
+ volumeMounts:
+ - mountPath: /tmp/cache
+ name: cache-volume
+ - name: tomcat
+ image: tomcat
+ ports:
+ - containerPort: 8080
+ readinessProbe:
+ tcpSocket:
+ port: 8080
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ volumes:
+ - name: cache-volume
+ emptyDir: {}
diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed2.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed2.yaml
new file mode 100644
index 000000000..6e0536487
--- /dev/null
+++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/example_disallowed2.yaml
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: test-pod2
+spec:
+ containers:
+ - name: nginx-1
+ image: nginx:1.7.9
+ ports:
+ - containerPort: 80
+ readinessProbe:
+ # httpGet:
+ # path: /
+ # port: 80
+ # initialDelaySeconds: 5
+ # periodSeconds: 10
+ livenessProbe:
+ tcpSocket:
+ port: 80
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ volumeMounts:
+ - mountPath: /tmp/cache
+ name: cache-volume
+ - name: tomcat
+ image: tomcat
+ ports:
+ - containerPort: 8080
+ readinessProbe:
+ tcpSocket:
+ port: 8080
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ # livenessProbe:
+ # tcpSocket:
+ # port: 8080
+ # initialDelaySeconds: 5
+ # periodSeconds: 10
+ volumes:
+ - name: cache-volume
+ emptyDir: {}
diff --git a/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/update.yaml b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/update.yaml
new file mode 100644
index 000000000..ff5e91103
--- /dev/null
+++ b/artifacthub/library/general/requiredprobes/1.0.1/samples/must-have-probes/update.yaml
@@ -0,0 +1,35 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: test-pod1
+ spec:
+ containers:
+ - name: nginx-1
+ image: nginx:1.7.9
+ ports:
+ - containerPort: 80
+ livenessProbe:
+ # tcpSocket:
+ # port: 80
+ # initialDelaySeconds: 5
+ # periodSeconds: 10
+ volumeMounts:
+ - mountPath: /tmp/cache
+ name: cache-volume
+ - name: tomcat
+ image: tomcat
+ ports:
+ - containerPort: 8080
+ readinessProbe:
+ tcpSocket:
+ port: 8080
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ volumes:
+ - name: cache-volume
+ emptyDir: {}
diff --git a/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml b/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml
new file mode 100644
index 000000000..86c2a229e
--- /dev/null
+++ b/artifacthub/library/general/requiredprobes/1.0.1/suite.yaml
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: requiredprobes
+tests:
+- name: required-probes
+ template: template.yaml
+ constraint: samples/must-have-probes/constraint.yaml
+ cases:
+ - name: example-allowed
+ object: samples/must-have-probes/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: example-disallowed
+ object: samples/must-have-probes/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-disallowed2
+ object: samples/must-have-probes/example_disallowed2.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/must-have-probes/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/general/requiredprobes/1.0.1/template.yaml b/artifacthub/library/general/requiredprobes/1.0.1/template.yaml
new file mode 100644
index 000000000..4115a6d98
--- /dev/null
+++ b/artifacthub/library/general/requiredprobes/1.0.1/template.yaml
@@ -0,0 +1,72 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8srequiredprobes
+ annotations:
+ metadata.gatekeeper.sh/title: "Required Probes"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: Requires Pods to have readiness and/or liveness probes.
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sRequiredProbes
+ validation:
+ openAPIV3Schema:
+ type: object
+ properties:
+ probes:
+ description: "A list of probes that are required (ex: `readinessProbe`)"
+ type: array
+ items:
+ type: string
+ probeTypes:
+ description: "The probe must define a field listed in `probeType` in order to satisfy the constraint (ex. `tcpSocket` satisfies `['tcpSocket', 'exec']`)"
+ type: array
+ items:
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8srequiredprobes
+
+ import data.lib.exclude_update.is_update
+
+ probe_type_set = probe_types {
+ probe_types := {type | type := input.parameters.probeTypes[_]}
+ }
+
+ violation[{"msg": msg}] {
+ # Probe fields are immutable.
+ not is_update(input.review)
+
+ container := input.review.object.spec.containers[_]
+ probe := input.parameters.probes[_]
+ probe_is_missing(container, probe)
+ msg := get_violation_message(container, input.review, probe)
+ }
+
+ probe_is_missing(ctr, probe) = true {
+ not ctr[probe]
+ }
+
+ probe_is_missing(ctr, probe) = true {
+ probe_field_empty(ctr, probe)
+ }
+
+ probe_field_empty(ctr, probe) = true {
+ probe_fields := {field | ctr[probe][field]}
+ diff_fields := probe_type_set - probe_fields
+ count(diff_fields) == count(probe_type_set)
+ }
+
+ get_violation_message(container, review, probe) = msg {
+ msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe])
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..c9378d2b9
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspallowprivilegeescalationcontainer
+displayName: Allow Privilege Escalation in Container
+createdAt: "2023-05-23T09:47:31Z"
+description: Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
+digest: a3c63022c554318dcc9589828a7b135c80740772375b071dfc0625fdaea91f66
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allow-privilege-escalation
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Allow Privilege Escalation in Container
+ Controls restricting escalation to root privileges. Corresponds to the `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/constraint.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/constraint.yaml
new file mode 100644
index 000000000..fdc05a1c0
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/constraint.yaml
@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPAllowPrivilegeEscalationContainer
+metadata:
+ name: psp-allow-privilege-escalation-container
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..5992f96b3
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privilege-escalation-disallowed
+ labels:
+ app: nginx-privilege-escalation
+spec:
+ ephemeralContainers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ allowPrivilegeEscalation: true
diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_allowed.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_allowed.yaml
new file mode 100644
index 000000000..26c8dd879
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_allowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privilege-escalation-allowed
+ labels:
+ app: nginx-privilege-escalation
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ allowPrivilegeEscalation: false
diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml
new file mode 100644
index 000000000..d3648d2f2
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privilege-escalation-disallowed
+ labels:
+ app: nginx-privilege-escalation
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ allowPrivilegeEscalation: true
diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/update.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/update.yaml
new file mode 100644
index 000000000..a79d40a1b
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/samples/psp-allow-privilege-escalation-container/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-privilege-escalation-disallowed
+ labels:
+ app: nginx-privilege-escalation
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ allowPrivilegeEscalation: true
diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml
new file mode 100644
index 000000000..cd7531cfa
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/suite.yaml
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: allow-privilege-escalation
+tests:
+ - name: allow-privilege-escalation
+ template: template.yaml
+ constraint: samples/psp-allow-privilege-escalation-container/constraint.yaml
+ cases:
+ - name: example-allowed
+ object: samples/psp-allow-privilege-escalation-container/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: example-disallowed
+ object: samples/psp-allow-privilege-escalation-container/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: disallowed-ephemeral
+ object: samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-allow-privilege-escalation-container/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml
new file mode 100644
index 000000000..a7f4694a2
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/allow-privilege-escalation/1.0.1/template.yaml
@@ -0,0 +1,100 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspallowprivilegeescalationcontainer
+ annotations:
+ metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Controls restricting escalation to root privileges. Corresponds to the
+ `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more
+ information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPAllowPrivilegeEscalationContainer
+ validation:
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls restricting escalation to root privileges. Corresponds to the
+ `allowPrivilegeEscalation` field in a PodSecurityPolicy. For more
+ information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spspallowprivilegeescalationcontainer
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.allowPrivilegeEscalation field is immutable.
+ not is_update(input.review)
+
+ c := input_containers[_]
+ not is_exempt(c)
+ input_allow_privilege_escalation(c)
+ msg := sprintf("Privilege escalation container is not allowed: %v", [c.name])
+ }
+
+ input_allow_privilege_escalation(c) {
+ not has_field(c, "securityContext")
+ }
+ input_allow_privilege_escalation(c) {
+ not c.securityContext.allowPrivilegeEscalation == false
+ }
+ input_containers[c] {
+ c := input.review.object.spec.containers[_]
+ }
+ input_containers[c] {
+ c := input.review.object.spec.initContainers[_]
+ }
+ input_containers[c] {
+ c := input.review.object.spec.ephemeralContainers[_]
+ }
+ # has_field returns whether an object has a field
+ has_field(object, field) = true {
+ object[field]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..0ffac5139
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspcapabilities
+displayName: Capabilities
+createdAt: "2023-05-23T09:47:31Z"
+description: Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
+digest: 140a62f0c286b67c659beb12c38186e4071495f00d1deca606a9df54c3735c44
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/capabilities
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Capabilities
+ Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/constraint.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/constraint.yaml
new file mode 100644
index 000000000..3f856082f
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/constraint.yaml
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPCapabilities
+metadata:
+ name: capabilities-demo
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ namespaces:
+ - "default"
+ parameters:
+ allowedCapabilities: ["something"]
+ requiredDropCapabilities: ["must_drop"]
diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..5467c826e
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/disallowed_ephemeral.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: opa-disallowed
+ labels:
+ owner: me.agilebank.demo
+spec:
+ ephemeralContainers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ securityContext:
+ capabilities:
+ add: ["disallowedcapability"]
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "30Mi"
diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_allowed.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_allowed.yaml
new file mode 100644
index 000000000..41bf6a0ed
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_allowed.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: opa-allowed
+ labels:
+ owner: me.agilebank.demo
+spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ securityContext:
+ capabilities:
+ add: ["something"]
+ drop: ["must_drop", "another_one"]
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "30Mi"
diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_disallowed.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_disallowed.yaml
new file mode 100644
index 000000000..fdd886189
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/example_disallowed.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: opa-disallowed
+ labels:
+ owner: me.agilebank.demo
+spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ securityContext:
+ capabilities:
+ add: ["disallowedcapability"]
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "30Mi"
\ No newline at end of file
diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/update.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/update.yaml
new file mode 100644
index 000000000..df8ea0070
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/samples/capabilities-demo/update.yaml
@@ -0,0 +1,26 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: opa-disallowed
+ labels:
+ owner: me.agilebank.demo
+ spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ securityContext:
+ capabilities:
+ add: ["disallowedcapability"]
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "30Mi"
diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml
new file mode 100644
index 000000000..48c2fcb46
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/suite.yaml
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: capabilities
+tests:
+ - name: capabilities
+ template: template.yaml
+ constraint: samples/capabilities-demo/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/capabilities-demo/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/capabilities-demo/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: disallowed-ephemeral
+ object: samples/capabilities-demo/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/capabilities-demo/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml
new file mode 100644
index 000000000..0df32e927
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/capabilities/1.0.1/template.yaml
@@ -0,0 +1,163 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspcapabilities
+ annotations:
+ metadata.gatekeeper.sh/title: "Capabilities"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Controls Linux capabilities on containers. Corresponds to the
+ `allowedCapabilities` and `requiredDropCapabilities` fields in a
+ PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPCapabilities
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls Linux capabilities on containers. Corresponds to the
+ `allowedCapabilities` and `requiredDropCapabilities` fields in a
+ PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ allowedCapabilities:
+ type: array
+ description: "A list of Linux capabilities that can be added to a container."
+ items:
+ type: string
+ requiredDropCapabilities:
+ type: array
+ description: "A list of Linux capabilities that are required to be dropped from a container."
+ items:
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package capabilities
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ violation[{"msg": msg}] {
+ # spec.containers.securityContext.capabilities field is immutable.
+ not is_update(input.review)
+
+ container := input.review.object.spec.containers[_]
+ not is_exempt(container)
+ has_disallowed_capabilities(container)
+ msg := sprintf("container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")])
+ }
+
+ violation[{"msg": msg}] {
+ not is_update(input.review)
+ container := input.review.object.spec.containers[_]
+ not is_exempt(container)
+ missing_drop_capabilities(container)
+ msg := sprintf("container <%v> is not dropping all required capabilities. Container must drop all of %v or \"ALL\"", [container.name, input.parameters.requiredDropCapabilities])
+ }
+
+
+
+ violation[{"msg": msg}] {
+ not is_update(input.review)
+ container := input.review.object.spec.initContainers[_]
+ not is_exempt(container)
+ has_disallowed_capabilities(container)
+ msg := sprintf("init container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")])
+ }
+
+ violation[{"msg": msg}] {
+ not is_update(input.review)
+ container := input.review.object.spec.initContainers[_]
+ not is_exempt(container)
+ missing_drop_capabilities(container)
+ msg := sprintf("init container <%v> is not dropping all required capabilities. Container must drop all of %v or \"ALL\"", [container.name, input.parameters.requiredDropCapabilities])
+ }
+
+
+
+ violation[{"msg": msg}] {
+ not is_update(input.review)
+ container := input.review.object.spec.ephemeralContainers[_]
+ not is_exempt(container)
+ has_disallowed_capabilities(container)
+ msg := sprintf("ephemeral container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")])
+ }
+
+ violation[{"msg": msg}] {
+ not is_update(input.review)
+ container := input.review.object.spec.ephemeralContainers[_]
+ not is_exempt(container)
+ missing_drop_capabilities(container)
+ msg := sprintf("ephemeral container <%v> is not dropping all required capabilities. Container must drop all of %v or \"ALL\"", [container.name, input.parameters.requiredDropCapabilities])
+ }
+
+
+ has_disallowed_capabilities(container) {
+ allowed := {c | c := lower(input.parameters.allowedCapabilities[_])}
+ not allowed["*"]
+ capabilities := {c | c := lower(container.securityContext.capabilities.add[_])}
+
+ count(capabilities - allowed) > 0
+ }
+
+ missing_drop_capabilities(container) {
+ must_drop := {c | c := lower(input.parameters.requiredDropCapabilities[_])}
+ all := {"all"}
+ dropped := {c | c := lower(container.securityContext.capabilities.drop[_])}
+
+ count(must_drop - dropped) > 0
+ count(all - dropped) > 0
+ }
+
+ get_default(obj, param, _default) = out {
+ out = obj[param]
+ }
+
+ get_default(obj, param, _default) = out {
+ not obj[param]
+ not obj[param] == false
+ out = _default
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..733b22e88
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspflexvolumes
+displayName: FlexVolumes
+createdAt: "2023-05-23T09:47:31Z"
+description: Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
+digest: 72545f834896499ee61b0918b4735e25bc851df1b16a8adcf35b0ca250ca79de
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/flexvolume-drivers
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # FlexVolumes
+ Controls the allowlist of FlexVolume drivers. Corresponds to the `allowedFlexVolumes` field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/constraint.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/constraint.yaml
new file mode 100644
index 000000000..8fc65f2de
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/constraint.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPFlexVolumes
+metadata:
+ name: psp-flexvolume-drivers
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ allowedFlexVolumes: #[]
+ - driver: "example/lvm"
+ - driver: "example/cifs"
diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_allowed.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_allowed.yaml
new file mode 100644
index 000000000..22b2e949c
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_allowed.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-flexvolume-driver-allowed
+ labels:
+ app: nginx-flexvolume-driver
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /test
+ name: test-volume
+ readOnly: true
+ volumes:
+ - name: test-volume
+ flexVolume:
+ driver: "example/lvm"
diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_disallowed.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_disallowed.yaml
new file mode 100644
index 000000000..9a8f27d67
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/example_disallowed.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-flexvolume-driver-disallowed
+ labels:
+ app: nginx-flexvolume-driver
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /test
+ name: test-volume
+ readOnly: true
+ volumes:
+ - name: test-volume
+ flexVolume:
+ driver: "example/testdriver" #"example/lvm"
diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/update.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/update.yaml
new file mode 100644
index 000000000..9358c6c5c
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/samples/psp-flexvolume-drivers/update.yaml
@@ -0,0 +1,23 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-flexvolume-driver-disallowed
+ labels:
+ app: nginx-flexvolume-driver
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /test
+ name: test-volume
+ readOnly: true
+ volumes:
+ - name: test-volume
+ flexVolume:
+ driver: "example/testdriver" #"example/lvm"
diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml
new file mode 100644
index 000000000..fe69966bd
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/suite.yaml
@@ -0,0 +1,21 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: flexvolume-drivers
+tests:
+ - name: flexvolume-drivers
+ template: template.yaml
+ constraint: samples/psp-flexvolume-drivers/constraint.yaml
+ cases:
+ - name: example-allowed
+ object: samples/psp-flexvolume-drivers/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: example-disallowed
+ object: samples/psp-flexvolume-drivers/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-flexvolume-drivers/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml
new file mode 100644
index 000000000..c059681c9
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/flexvolume-drivers/1.0.1/template.yaml
@@ -0,0 +1,72 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspflexvolumes
+ annotations:
+ metadata.gatekeeper.sh/title: "FlexVolumes"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Controls the allowlist of FlexVolume drivers. Corresponds to the
+ `allowedFlexVolumes` field in PodSecurityPolicy. For more information,
+ see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPFlexVolumes
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls the allowlist of FlexVolume drivers. Corresponds to the
+ `allowedFlexVolumes` field in PodSecurityPolicy. For more information,
+ see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
+ properties:
+ allowedFlexVolumes:
+ type: array
+ description: "An array of AllowedFlexVolume objects."
+ items:
+ type: object
+ properties:
+ driver:
+ description: "The name of the FlexVolume driver."
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spspflexvolumes
+
+ import data.lib.exclude_update.is_update
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
+ volume := input_flexvolumes[_]
+ not input_flexvolumes_allowed(volume)
+ msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes])
+ }
+
+ input_flexvolumes_allowed(volume) {
+ input.parameters.allowedFlexVolumes[_].driver == volume.flexVolume.driver
+ }
+
+ input_flexvolumes[v] {
+ v := input.review.object.spec.volumes[_]
+ has_field(v, "flexVolume")
+ }
+
+ # has_field returns whether an object has a field
+ has_field(object, field) = true {
+ object[field]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/README.md b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/README.md
new file mode 100644
index 000000000..d8a40937d
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/README.md
@@ -0,0 +1,36 @@
+# Forbidden Sysctls security context policy
+
+The forbidden sysctls constraint allows one to limit the set of kernel parameters that can be modified by pods. This is accomplished by specifying a combination of allowed and forbidden sysctls using either of two parameters: `allowedSysctls` and `forbiddenSysctls`.
+
+## Parameters
+
+`allowedSysctls`: A list of explicitly allowed sysctls. Any sysctl not in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter.
+
+`forbiddenSysctls`: A list of explicitly denied sysctls. Any sysctl in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter.
+
+## Examples
+
+```yaml
+parameters:
+ allowedSysctls: ['*']
+ forbiddenSysctls:
+ - kernel.msg*
+ - net.core.somaxconn
+```
+
+```yaml
+parameters:
+ allowedSysctls:
+ - kernel.shm_rmid_forced
+ - net.ipv4.ip_local_port_range
+ - net.ipv4.tcp_syncookies
+ - net.ipv4.ping_group_range
+ forbiddenSysctls: []
+```
+
+*Note*: `forbiddenSysctls` takes precedence, such that an explicitly forbidden sysctl is still forbidden even if it appears in `allowedSysctls` as well. However in practice, such overlap between the rules should be avoided.
+
+## References
+
+* [Using sysctls in a Kubernetes Cluster](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
+* [Kubernetes API Reference - Sysctl](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#sysctl-v1-core)
\ No newline at end of file
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml
new file mode 100644
index 000000000..48ba046fb
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.1.2
+name: k8spspforbiddensysctls
+displayName: Forbidden Sysctls
+createdAt: "2023-05-23T09:47:31Z"
+description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+digest: b9b00a75d075d84d4b23066545063969a9dac86717eb62ee5da1861e720f5df2
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Forbidden Sysctls
+ Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/kustomization.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/constraint.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/constraint.yaml
new file mode 100644
index 000000000..39abf4b23
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/constraint.yaml
@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+ name: psp-forbidden-sysctls
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ forbiddenSysctls:
+ # - "*" # * may be used to forbid all sysctls
+ - kernel.*
+ allowedSysctls:
+ - "*" # allows all sysctls. allowedSysctls is optional.
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_allowed.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_allowed.yaml
new file mode 100644
index 000000000..4b6cc4b66
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_allowed.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-forbidden-sysctls-disallowed
+ labels:
+ app: nginx-forbidden-sysctls
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ sysctls:
+ - name: net.core.somaxconn
+ value: "1024"
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_disallowed.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_disallowed.yaml
new file mode 100644
index 000000000..34ab8f344
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/example_disallowed.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-forbidden-sysctls-disallowed
+ labels:
+ app: nginx-forbidden-sysctls
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ sysctls:
+ - name: kernel.msgmax
+ value: "65536"
+ - name: net.core.somaxconn
+ value: "1024"
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/update.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/update.yaml
new file mode 100644
index 000000000..e4e732be9
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/samples/psp-forbidden-sysctls/update.yaml
@@ -0,0 +1,21 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-forbidden-sysctls-disallowed
+ labels:
+ app: nginx-forbidden-sysctls
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ sysctls:
+ - name: kernel.msgmax
+ value: "65536"
+ - name: net.core.somaxconn
+ value: "1024"
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml
new file mode 100644
index 000000000..d00f85b8b
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/suite.yaml
@@ -0,0 +1,21 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: forbidden-sysctls
+tests:
+ - name: forbidden-sysctls
+ template: template.yaml
+ constraint: samples/psp-forbidden-sysctls/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-forbidden-sysctls/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: update
+ object: samples/psp-forbidden-sysctls/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml
new file mode 100644
index 000000000..3d3c1d9a0
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.1.2/template.yaml
@@ -0,0 +1,100 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspforbiddensysctls
+ annotations:
+ metadata.gatekeeper.sh/title: "Forbidden Sysctls"
+ metadata.gatekeeper.sh/version: 1.1.2
+ description: >-
+ Controls the `sysctl` profile used by containers. Corresponds to the
+ `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy.
+ When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden.
+ The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter.
+ For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPForbiddenSysctls
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls the `sysctl` profile used by containers. Corresponds to the
+ `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy.
+ When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden.
+ The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter.
+ For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+ properties:
+ allowedSysctls:
+ type: array
+ description: "An allow-list of sysctls. `*` allows all sysctls not listed in the `forbiddenSysctls` parameter."
+ items:
+ type: string
+ forbiddenSysctls:
+ type: array
+ description: "A disallow-list of sysctls. `*` forbids all sysctls."
+ items:
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spspforbiddensysctls
+
+ import data.lib.exclude_update.is_update
+
+ # Block if forbidden
+ violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.sysctls field is immutable.
+ not is_update(input.review)
+
+ sysctl := input.review.object.spec.securityContext.sysctls[_].name
+ forbidden_sysctl(sysctl)
+ msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls])
+ }
+
+ # Block if not explicitly allowed
+ violation[{"msg": msg, "details": {}}] {
+ not is_update(input.review)
+ sysctl := input.review.object.spec.securityContext.sysctls[_].name
+ not allowed_sysctl(sysctl)
+ msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
+ }
+
+ # * may be used to forbid all sysctls
+ forbidden_sysctl(sysctl) {
+ input.parameters.forbiddenSysctls[_] == "*"
+ }
+
+ forbidden_sysctl(sysctl) {
+ input.parameters.forbiddenSysctls[_] == sysctl
+ }
+
+ forbidden_sysctl(sysctl) {
+ forbidden := input.parameters.forbiddenSysctls[_]
+ endswith(forbidden, "*")
+ startswith(sysctl, trim_suffix(forbidden, "*"))
+ }
+
+ # * may be used to allow all sysctls
+ allowed_sysctl(sysctl) {
+ input.parameters.allowedSysctls[_] == "*"
+ }
+
+ allowed_sysctl(sysctl) {
+ input.parameters.allowedSysctls[_] == sysctl
+ }
+
+ allowed_sysctl(sysctl) {
+ allowed := input.parameters.allowedSysctls[_]
+ endswith(allowed, "*")
+ startswith(sysctl, trim_suffix(allowed, "*"))
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/README.md b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/README.md
new file mode 100644
index 000000000..b70d94d45
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/README.md
@@ -0,0 +1,7 @@
+# Deprecated
+
+**This Policy is deprecated**
+
+Please use the FSGroup settings on the users policy to enforce FSGroup Settings.
+
+[Users Policy](../users)
diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..818551a97
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspfsgroup
+displayName: FS Group
+createdAt: "2023-05-23T09:47:31Z"
+description: Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+digest: 18d489cff65194e1ee7963197d4384cbd6b3141e3babfa66aff59b5062e32d35
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/fsgroup
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # FS Group
+ Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/constraint.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/constraint.yaml
new file mode 100644
index 000000000..4eb14fe3c
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/constraint.yaml
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPFSGroup
+metadata:
+ name: psp-fsgroup
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
+ ranges:
+ - min: 1
+ max: 1000
diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_allowed.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_allowed.yaml
new file mode 100644
index 000000000..17d3274c3
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_allowed.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: fsgroup-disallowed
+spec:
+ securityContext:
+ fsGroup: 500 # directory will have group ID 500
+ volumes:
+ - name: fsgroup-demo-vol
+ emptyDir: {}
+ containers:
+ - name: fsgroup-demo
+ image: busybox
+ command: ["sh", "-c", "sleep 1h"]
+ volumeMounts:
+ - name: fsgroup-demo-vol
+ mountPath: /data/demo
diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_disallowed.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_disallowed.yaml
new file mode 100644
index 000000000..9caf7c0a3
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/example_disallowed.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: fsgroup-disallowed
+spec:
+ securityContext:
+ fsGroup: 2000 # directory will have group ID 2000
+ volumes:
+ - name: fsgroup-demo-vol
+ emptyDir: {}
+ containers:
+ - name: fsgroup-demo
+ image: busybox
+ command: [ "sh", "-c", "sleep 1h" ]
+ volumeMounts:
+ - name: fsgroup-demo-vol
+ mountPath: /data/demo
diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/update.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/update.yaml
new file mode 100644
index 000000000..c0de7258a
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/samples/psp-fsgroup/update.yaml
@@ -0,0 +1,22 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: fsgroup-disallowed
+ spec:
+ securityContext:
+ fsGroup: 2000 # directory will have group ID 2000
+ volumes:
+ - name: fsgroup-demo-vol
+ emptyDir: {}
+ containers:
+ - name: fsgroup-demo
+ image: busybox
+ command: [ "sh", "-c", "sleep 1h" ]
+ volumeMounts:
+ - name: fsgroup-demo-vol
+ mountPath: /data/demo
diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml
new file mode 100644
index 000000000..cb102e785
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/suite.yaml
@@ -0,0 +1,21 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: fsgroup
+tests:
+ - name: fsgroup
+ template: template.yaml
+ constraint: samples/psp-fsgroup/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-fsgroup/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-fsgroup/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: update
+ object: samples/psp-fsgroup/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml
new file mode 100644
index 000000000..d3f56af81
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/fsgroup/1.0.1/template.yaml
@@ -0,0 +1,105 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspfsgroup
+ annotations:
+ metadata.gatekeeper.sh/title: "FS Group"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Controls allocating an FSGroup that owns the Pod's volumes. Corresponds
+ to the `fsGroup` field in a PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPFSGroup
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls allocating an FSGroup that owns the Pod's volumes. Corresponds
+ to the `fsGroup` field in a PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+ properties:
+ rule:
+ description: "An FSGroup rule name."
+ enum:
+ - MayRunAs
+ - MustRunAs
+ - RunAsAny
+ type: string
+ ranges:
+ type: array
+ description: "GID ranges affected by the rule."
+ items:
+ type: object
+ properties:
+ min:
+ description: "The minimum GID in the range, inclusive."
+ type: integer
+ max:
+ description: "The maximum GID in the range, inclusive."
+ type: integer
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spspfsgroup
+
+ import data.lib.exclude_update.is_update
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.fsGroup field is immutable.
+ not is_update(input.review)
+
+ spec := input.review.object.spec
+ not input_fsGroup_allowed(spec)
+ msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters])
+ }
+
+ input_fsGroup_allowed(spec) {
+ # RunAsAny - No range is required. Allows any fsGroup ID to be specified.
+ input.parameters.rule == "RunAsAny"
+ }
+ input_fsGroup_allowed(spec) {
+ # MustRunAs - Validates pod spec fsgroup against all ranges
+ input.parameters.rule == "MustRunAs"
+ fg := spec.securityContext.fsGroup
+ count(input.parameters.ranges) > 0
+ range := input.parameters.ranges[_]
+ value_within_range(range, fg)
+ }
+ input_fsGroup_allowed(spec) {
+ # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset
+ input.parameters.rule == "MayRunAs"
+ not has_field(spec, "securityContext")
+ }
+ input_fsGroup_allowed(spec) {
+ # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset
+ input.parameters.rule == "MayRunAs"
+ not spec.securityContext.fsGroup
+ }
+ input_fsGroup_allowed(spec) {
+ # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset
+ input.parameters.rule == "MayRunAs"
+ fg := spec.securityContext.fsGroup
+ count(input.parameters.ranges) > 0
+ range := input.parameters.ranges[_]
+ value_within_range(range, fg)
+ }
+ value_within_range(range, value) {
+ range.min <= value
+ range.max >= value
+ }
+ # has_field returns whether an object has a field
+ has_field(object, field) = true {
+ object[field]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..d417458bf
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spsphostfilesystem
+displayName: Host Filesystem
+createdAt: "2023-05-23T09:47:31Z"
+description: Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+digest: 6ced943cc854322891d2b3021c586562c360c1e02f20bf52ca3032fb4a3da7fd
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-filesystem
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Host Filesystem
+ Controls usage of the host filesystem. Corresponds to the `allowedHostPaths` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/constraint.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/constraint.yaml
new file mode 100644
index 000000000..7cbd7b824
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/constraint.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPHostFilesystem
+metadata:
+ name: psp-host-filesystem
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ allowedHostPaths:
+ - readOnly: true
+ pathPrefix: "/foo"
diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..beece55c0
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/disallowed_ephemeral.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-filesystem
+ labels:
+ app: nginx-host-filesystem-disallowed
+spec:
+ ephemeralContainers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ readOnly: true
+ volumes:
+ - name: cache-volume
+ hostPath:
+ path: /tmp # directory location on host
diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_allowed.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_allowed.yaml
new file mode 100644
index 000000000..abc60d882
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_allowed.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-filesystem
+ labels:
+ app: nginx-host-filesystem-disallowed
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ readOnly: true
+ volumes:
+ - name: cache-volume
+ hostPath:
+ path: /foo/bar
diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_disallowed.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_disallowed.yaml
new file mode 100644
index 000000000..53107694f
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/example_disallowed.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-filesystem
+ labels:
+ app: nginx-host-filesystem-disallowed
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ readOnly: true
+ volumes:
+ - name: cache-volume
+ hostPath:
+ path: /tmp # directory location on host
diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/update.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/update.yaml
new file mode 100644
index 000000000..68b28a536
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/samples/psp-host-filesystem/update.yaml
@@ -0,0 +1,23 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-host-filesystem
+ labels:
+ app: nginx-host-filesystem-disallowed
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ readOnly: true
+ volumes:
+ - name: cache-volume
+ hostPath:
+ path: /tmp # directory location on host
diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml
new file mode 100644
index 000000000..5441df8cc
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/suite.yaml
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: host-filesystem
+tests:
+ - name: host-filesystem
+ template: template.yaml
+ constraint: samples/psp-host-filesystem/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-host-filesystem/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-host-filesystem/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: disallowed-ephemeral
+ object: samples/psp-host-filesystem/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-host-filesystem/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml
new file mode 100644
index 000000000..2ef796fd4
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-filesystem/1.0.1/template.yaml
@@ -0,0 +1,148 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spsphostfilesystem
+ annotations:
+ metadata.gatekeeper.sh/title: "Host Filesystem"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Controls usage of the host filesystem. Corresponds to the
+ `allowedHostPaths` field in a PodSecurityPolicy. For more information,
+ see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPHostFilesystem
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls usage of the host filesystem. Corresponds to the
+ `allowedHostPaths` field in a PodSecurityPolicy. For more information,
+ see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+ properties:
+ allowedHostPaths:
+ type: array
+ description: "An array of hostpath objects, representing paths and read/write configuration."
+ items:
+ type: object
+ properties:
+ pathPrefix:
+ type: string
+ description: "The path prefix that the host volume must match."
+ readOnly:
+ type: boolean
+ description: "when set to true, any container volumeMounts matching the pathPrefix must include `readOnly: true`."
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spsphostfilesystem
+
+ import data.lib.exclude_update.is_update
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
+ volume := input_hostpath_volumes[_]
+ allowedPaths := get_allowed_paths(input)
+ input_hostpath_violation(allowedPaths, volume)
+ msg := sprintf("HostPath volume %v is not allowed, pod: %v. Allowed path: %v", [volume, input.review.object.metadata.name, allowedPaths])
+ }
+
+ input_hostpath_violation(allowedPaths, volume) {
+ # An empty list means all host paths are blocked
+ allowedPaths == []
+ }
+ input_hostpath_violation(allowedPaths, volume) {
+ not input_hostpath_allowed(allowedPaths, volume)
+ }
+
+ get_allowed_paths(arg) = out {
+ not arg.parameters
+ out = []
+ }
+ get_allowed_paths(arg) = out {
+ not arg.parameters.allowedHostPaths
+ out = []
+ }
+ get_allowed_paths(arg) = out {
+ out = arg.parameters.allowedHostPaths
+ }
+
+ input_hostpath_allowed(allowedPaths, volume) {
+ allowedHostPath := allowedPaths[_]
+ path_matches(allowedHostPath.pathPrefix, volume.hostPath.path)
+ not allowedHostPath.readOnly == true
+ }
+
+ input_hostpath_allowed(allowedPaths, volume) {
+ allowedHostPath := allowedPaths[_]
+ path_matches(allowedHostPath.pathPrefix, volume.hostPath.path)
+ allowedHostPath.readOnly
+ not writeable_input_volume_mounts(volume.name)
+ }
+
+ writeable_input_volume_mounts(volume_name) {
+ container := input_containers[_]
+ mount := container.volumeMounts[_]
+ mount.name == volume_name
+ not mount.readOnly
+ }
+
+ # This allows "/foo", "/foo/", "/foo/bar" etc., but
+ # disallows "/fool", "/etc/foo" etc.
+ path_matches(prefix, path) {
+ a := path_array(prefix)
+ b := path_array(path)
+ prefix_matches(a, b)
+ }
+ path_array(p) = out {
+ p != "/"
+ out := split(trim(p, "/"), "/")
+ }
+ # This handles the special case for "/", since
+ # split(trim("/", "/"), "/") == [""]
+ path_array("/") = []
+
+ prefix_matches(a, b) {
+ count(a) <= count(b)
+ not any_not_equal_upto(a, b, count(a))
+ }
+
+ any_not_equal_upto(a, b, n) {
+ a[i] != b[i]
+ i < n
+ }
+
+ input_hostpath_volumes[v] {
+ v := input.review.object.spec.volumes[_]
+ has_field(v, "hostPath")
+ }
+
+ # has_field returns whether an object has a field
+ has_field(object, field) = true {
+ object[field]
+ }
+ input_containers[c] {
+ c := input.review.object.spec.containers[_]
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.initContainers[_]
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.ephemeralContainers[_]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..2f68f69dc
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spsphostnamespace
+displayName: Host Namespace
+createdAt: "2023-05-23T09:47:31Z"
+description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+digest: a0e3fc6ed087233e70ae10bdc2a3ee550226207bf2bf7fb4567833710d39bed0
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-namespaces
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Host Namespace
+ Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/constraint.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/constraint.yaml
new file mode 100644
index 000000000..5b3ebba3a
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/constraint.yaml
@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPHostNamespace
+metadata:
+ name: psp-host-namespace
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_allowed.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_allowed.yaml
new file mode 100644
index 000000000..f765f5b4d
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_allowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-namespace-allowed
+ labels:
+ app: nginx-host-namespace
+spec:
+ hostPID: false
+ hostIPC: false
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_disallowed.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_disallowed.yaml
new file mode 100644
index 000000000..b979e8134
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/example_disallowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-namespace-disallowed
+ labels:
+ app: nginx-host-namespace
+spec:
+ hostPID: true
+ hostIPC: true
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/update.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/update.yaml
new file mode 100644
index 000000000..29e17f13a
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/samples/psp-host-namespace/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-host-namespace-disallowed
+ labels:
+ app: nginx-host-namespace
+ spec:
+ hostPID: true
+ hostIPC: true
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml
new file mode 100644
index 000000000..b8e853d5f
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/suite.yaml
@@ -0,0 +1,21 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: host-namespaces
+tests:
+ - name: host-namespace
+ template: template.yaml
+ constraint: samples/psp-host-namespace/constraint.yaml
+ cases:
+ - name: example-allowed
+ object: samples/psp-host-namespace/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: example-disallowed
+ object: samples/psp-host-namespace/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-host-namespace/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml
new file mode 100644
index 000000000..a8b87e419
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-namespaces/1.0.1/template.yaml
@@ -0,0 +1,54 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spsphostnamespace
+ annotations:
+ metadata.gatekeeper.sh/title: "Host Namespace"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Disallows sharing of host PID and IPC namespaces by pod containers.
+ Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
+ For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPHostNamespace
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Disallows sharing of host PID and IPC namespaces by pod containers.
+ Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
+ For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spsphostnamespace
+
+ import data.lib.exclude_update.is_update
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.hostPID and spec.hostIPC fields are immutable.
+ not is_update(input.review)
+
+ input_share_hostnamespace(input.review.object)
+ msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
+ }
+
+ input_share_hostnamespace(o) {
+ o.spec.hostPID
+ }
+ input_share_hostnamespace(o) {
+ o.spec.hostIPC
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..3fe73120d
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spsphostnetworkingports
+displayName: Host Networking Ports
+createdAt: "2023-05-23T09:47:31Z"
+description: Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+digest: 00d1eec4552138ea7eb40a5f24cd8d5ec3b3da5bc7121928d1f66dc899064d86
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-network-ports
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Host Networking Ports
+ Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the `hostNetwork` and `hostPorts` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/constraint.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/constraint.yaml
new file mode 100644
index 000000000..fcbc5d805
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/constraint.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPHostNetworkingPorts
+metadata:
+ name: psp-host-network-ports
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ hostNetwork: true
+ min: 80
+ max: 9000
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..7a4fa3114
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/disallowed_ephemeral.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-ports-disallowed
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ ephemeralContainers:
+ - name: nginx
+ image: nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_allowed.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_allowed.yaml
new file mode 100644
index 000000000..08b321fe5
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_allowed.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-ports-allowed
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: false
+ containers:
+ - name: nginx
+ image: nginx
+ ports:
+ - containerPort: 9000
+ hostPort: 80
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_disallowed.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_disallowed.yaml
new file mode 100644
index 000000000..9a496cd60
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/example_disallowed.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-host-networking-ports-disallowed
+ labels:
+ app: nginx-host-networking-ports
+spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/update.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/update.yaml
new file mode 100644
index 000000000..231096430
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/samples/psp-host-network-ports/update.yaml
@@ -0,0 +1,19 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-host-networking-ports-disallowed
+ labels:
+ app: nginx-host-networking-ports
+ spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml
new file mode 100644
index 000000000..710df69eb
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/suite.yaml
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: host-network-ports
+tests:
+- name: use-of-host-networking-ports-blocked
+ template: template.yaml
+ constraint: samples/psp-host-network-ports/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-host-network-ports/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-host-network-ports/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: disallowed-ephemeral
+ object: samples/psp-host-network-ports/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-host-network-ports/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml
new file mode 100644
index 000000000..31a9d9e56
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/host-network-ports/1.0.1/template.yaml
@@ -0,0 +1,118 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spsphostnetworkingports
+ annotations:
+ metadata.gatekeeper.sh/title: "Host Networking Ports"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Controls usage of host network namespace by pod containers. Specific
+ ports must be specified. Corresponds to the `hostNetwork` and
+ `hostPorts` fields in a PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPHostNetworkingPorts
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls usage of host network namespace by pod containers. Specific
+ ports must be specified. Corresponds to the `hostNetwork` and
+ `hostPorts` fields in a PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ hostNetwork:
+ description: "Determines if the policy allows the use of HostNetwork in the pod spec."
+ type: boolean
+ min:
+ description: "The start of the allowed port range, inclusive."
+ type: integer
+ max:
+ description: "The end of the allowed port range, inclusive."
+ type: integer
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spsphostnetworkingports
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.hostNetwork field is immutable.
+ not is_update(input.review)
+
+ input_share_hostnetwork(input.review.object)
+ msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters])
+ }
+
+ input_share_hostnetwork(o) {
+ not input.parameters.hostNetwork
+ o.spec.hostNetwork
+ }
+
+ input_share_hostnetwork(o) {
+ hostPort := input_containers[_].ports[_].hostPort
+ hostPort < input.parameters.min
+ }
+
+ input_share_hostnetwork(o) {
+ hostPort := input_containers[_].ports[_].hostPort
+ hostPort > input.parameters.max
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.containers[_]
+ not is_exempt(c)
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.initContainers[_]
+ not is_exempt(c)
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.ephemeralContainers[_]
+ not is_exempt(c)
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..12b37abb7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspprivilegedcontainer
+displayName: Privileged Container
+createdAt: "2023-05-23T09:47:31Z"
+description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
+digest: c8e6071091c7442d217106f83cc8b63cfe3bf48f49196435c5f974ec5cc094d5
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/privileged-containers
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Privileged Container
+ Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/constraint.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/constraint.yaml
new file mode 100644
index 000000000..b246b244a
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/constraint.yaml
@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPPrivilegedContainer
+metadata:
+ name: psp-privileged-container
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ excludedNamespaces: ["kube-system"]
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..e8c8b9945
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/disallowed_ephemeral.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privileged-disallowed
+ labels:
+ app: nginx-privileged
+spec:
+ ephemeralContainers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ privileged: true
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_allowed.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_allowed.yaml
new file mode 100644
index 000000000..bb65a2c0e
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_allowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privileged-allowed
+ labels:
+ app: nginx-privileged
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ privileged: false
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_disallowed.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_disallowed.yaml
new file mode 100644
index 000000000..936a24f8e
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/example_disallowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-privileged-disallowed
+ labels:
+ app: nginx-privileged
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ privileged: true
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/update.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/update.yaml
new file mode 100644
index 000000000..08f36044c
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/samples/psp-privileged-container/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-privileged-disallowed
+ labels:
+ app: nginx-privileged
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ privileged: true
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml
new file mode 100644
index 000000000..c2e484fc5
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/suite.yaml
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: privileged-containers
+tests:
+- name: privileged-containers-disallowed
+ template: template.yaml
+ constraint: samples/psp-privileged-container/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-privileged-container/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-privileged-container/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: disallowed-ephemeral
+ object: samples/psp-privileged-container/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-privileged-container/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml
new file mode 100644
index 000000000..c552c193d
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/privileged-containers/1.0.1/template.yaml
@@ -0,0 +1,92 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspprivilegedcontainer
+ annotations:
+ metadata.gatekeeper.sh/title: "Privileged Container"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Controls the ability of any container to enable privileged mode.
+ Corresponds to the `privileged` field in a PodSecurityPolicy. For more
+ information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPPrivilegedContainer
+ validation:
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls the ability of any container to enable privileged mode.
+ Corresponds to the `privileged` field in a PodSecurityPolicy. For more
+ information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spspprivileged
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.containers.privileged field is immutable.
+ not is_update(input.review)
+
+ c := input_containers[_]
+ not is_exempt(c)
+ c.securityContext.privileged
+ msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext])
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.containers[_]
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.initContainers[_]
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.ephemeralContainers[_]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/README.md b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/README.md
new file mode 100644
index 000000000..9e45b7207
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/README.md
@@ -0,0 +1,12 @@
+# ProcMount security context policy
+
+`procMount` denotes the type of proc mount to use for the containers. The default is `DefaultProcMount` which uses the container runtime defaults for readonly paths and masked paths.
+
+Types of proc mount are:
+
+- `DefaultProcMount` uses the container runtime default ProcType. Most container runtimes mask certain paths in /proc to avoid accidental security exposure of special devices or information.
+
+- `UnmaskedProcMount` bypasses the default masking behavior of the container runtime and ensures the newly created /proc the container stays in tact with no modifications.
+
+This requires the `ProcMountType` feature flag to be enabled. Set `--feature-gates=ProcMountType=true` in Kubernetes API Server to be able to use `Unmasked` procMount type (requires v1.12 and above). For more information, see
+https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options and https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/.
diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml
new file mode 100644
index 000000000..61b7bb380
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.2
+name: k8spspprocmount
+displayName: Proc Mount
+createdAt: "2023-05-23T09:47:31Z"
+description: Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
+digest: 9a792a8c5d3a0559d877b673315598390a44d602fc2dcbe7c4f69f734dd94c97
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/proc-mount
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Proc Mount
+ Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/kustomization.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/constraint.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/constraint.yaml
new file mode 100644
index 000000000..1d7434ac0
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/constraint.yaml
@@ -0,0 +1,11 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPProcMount
+metadata:
+ name: psp-proc-mount
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ procMount: Default
diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..4be38f45d
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/disallowed_ephemeral.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-proc-mount-disallowed
+ labels:
+ app: nginx-proc-mount
+spec:
+ ephemeralContainers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ procMount: Unmasked #Default
diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_allowed.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_allowed.yaml
new file mode 100644
index 000000000..c9b13ac71
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_allowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-proc-mount-disallowed
+ labels:
+ app: nginx-proc-mount
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ procMount: Default
diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_disallowed.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_disallowed.yaml
new file mode 100644
index 000000000..403c7cb2a
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/example_disallowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-proc-mount-disallowed
+ labels:
+ app: nginx-proc-mount
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ procMount: Unmasked #Default
diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/update.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/update.yaml
new file mode 100644
index 000000000..dc21b1142
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/samples/psp-proc-mount/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-proc-mount-disallowed
+ labels:
+ app: nginx-proc-mount
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ procMount: Unmasked #Default
diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml
new file mode 100644
index 000000000..501493e14
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/suite.yaml
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: proc-mount
+tests:
+- name: default-proc-mount-required
+ template: template.yaml
+ constraint: samples/psp-proc-mount/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-proc-mount/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-proc-mount/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: disallowed-ephemeral
+ object: samples/psp-proc-mount/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-proc-mount/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml
new file mode 100644
index 000000000..bbf2244da
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/proc-mount/1.0.2/template.yaml
@@ -0,0 +1,138 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspprocmount
+ annotations:
+ metadata.gatekeeper.sh/title: "Proc Mount"
+ metadata.gatekeeper.sh/version: 1.0.2
+ description: >-
+ Controls the allowed `procMount` types for the container. Corresponds to
+ the `allowedProcMountTypes` field in a PodSecurityPolicy. For more
+ information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPProcMount
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls the allowed `procMount` types for the container. Corresponds to
+ the `allowedProcMountTypes` field in a PodSecurityPolicy. For more
+ information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ procMount:
+ type: string
+ description: >-
+ Defines the strategy for the security exposure of certain paths
+ in `/proc` by the container runtime. Setting to `Default` uses
+ the runtime defaults, where `Unmasked` bypasses the default
+ behavior.
+ enum:
+ - Default
+ - Unmasked
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spspprocmount
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.procMount field is immutable.
+ not is_update(input.review)
+
+ c := input_containers[_]
+ not is_exempt(c)
+ allowedProcMount := get_allowed_proc_mount(input)
+ not input_proc_mount_type_allowed(allowedProcMount, c)
+ msg := sprintf("ProcMount type is not allowed, container: %v. Allowed procMount types: %v", [c.name, allowedProcMount])
+ }
+
+ input_proc_mount_type_allowed(allowedProcMount, c) {
+ allowedProcMount == "default"
+ lower(c.securityContext.procMount) == "default"
+ }
+ input_proc_mount_type_allowed(allowedProcMount, c) {
+ allowedProcMount == "unmasked"
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.containers[_]
+ c.securityContext.procMount
+ }
+ input_containers[c] {
+ c := input.review.object.spec.initContainers[_]
+ c.securityContext.procMount
+ }
+ input_containers[c] {
+ c := input.review.object.spec.ephemeralContainers[_]
+ c.securityContext.procMount
+ }
+
+ get_allowed_proc_mount(arg) = out {
+ not arg.parameters
+ out = "default"
+ }
+ get_allowed_proc_mount(arg) = out {
+ not arg.parameters.procMount
+ out = "default"
+ }
+ get_allowed_proc_mount(arg) = out {
+ arg.parameters.procMount
+ not valid_proc_mount(arg.parameters.procMount)
+ out = "default"
+ }
+ get_allowed_proc_mount(arg) = out {
+ valid_proc_mount(arg.parameters.procMount)
+ out = lower(arg.parameters.procMount)
+ }
+
+ valid_proc_mount(str) {
+ lower(str) == "default"
+ }
+ valid_proc_mount(str) {
+ lower(str) == "unmasked"
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..76a2fbd74
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspreadonlyrootfilesystem
+displayName: Read Only Root Filesystem
+createdAt: "2023-05-23T09:47:31Z"
+description: Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+digest: b2b009150e5eb99c2746d79e0de085d11b2bddb1c5e0613bdefcc6d27d8a221d
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/read-only-root-filesystem
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Read Only Root Filesystem
+ Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/constraint.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/constraint.yaml
new file mode 100644
index 000000000..66d6bdabe
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/constraint.yaml
@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPReadOnlyRootFilesystem
+metadata:
+ name: psp-readonlyrootfilesystem
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..d0ce2c4dc
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-readonlyrootfilesystem-disallowed
+ labels:
+ app: nginx-readonlyrootfilesystem
+spec:
+ ephemeralContainers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ readOnlyRootFilesystem: false
diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml
new file mode 100644
index 000000000..9c96bd18c
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-readonlyrootfilesystem-allowed
+ labels:
+ app: nginx-readonlyrootfilesystem
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ readOnlyRootFilesystem: true
diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml
new file mode 100644
index 000000000..7571bfd9f
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-readonlyrootfilesystem-disallowed
+ labels:
+ app: nginx-readonlyrootfilesystem
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ readOnlyRootFilesystem: false
diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/update.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/update.yaml
new file mode 100644
index 000000000..b31ae5e3a
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/samples/psp-readonlyrootfilesystem/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-readonlyrootfilesystem-disallowed
+ labels:
+ app: nginx-readonlyrootfilesystem
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ readOnlyRootFilesystem: false
diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml
new file mode 100644
index 000000000..db736886f
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/suite.yaml
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: read-only-root-filesystem
+tests:
+- name: require-read-only-root-filesystem
+ template: template.yaml
+ constraint: samples/psp-readonlyrootfilesystem/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-readonlyrootfilesystem/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-readonlyrootfilesystem/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: disallowed-ephemeral
+ object: samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-readonlyrootfilesystem/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml
new file mode 100644
index 000000000..bca12eeae
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.0.1/template.yaml
@@ -0,0 +1,103 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspreadonlyrootfilesystem
+ annotations:
+ metadata.gatekeeper.sh/title: "Read Only Root Filesystem"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Requires the use of a read-only root file system by pod containers.
+ Corresponds to the `readOnlyRootFilesystem` field in a
+ PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPReadOnlyRootFilesystem
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Requires the use of a read-only root file system by pod containers.
+ Corresponds to the `readOnlyRootFilesystem` field in a
+ PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spspreadonlyrootfilesystem
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.containers.readOnlyRootFilesystem field is immutable.
+ not is_update(input.review)
+
+ c := input_containers[_]
+ not is_exempt(c)
+ input_read_only_root_fs(c)
+ msg := sprintf("only read-only root filesystem container is allowed: %v", [c.name])
+ }
+
+ input_read_only_root_fs(c) {
+ not has_field(c, "securityContext")
+ }
+ input_read_only_root_fs(c) {
+ not c.securityContext.readOnlyRootFilesystem == true
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.containers[_]
+ }
+ input_containers[c] {
+ c := input.review.object.spec.initContainers[_]
+ }
+ input_containers[c] {
+ c := input.review.object.spec.ephemeralContainers[_]
+ }
+
+ # has_field returns whether an object has a field
+ has_field(object, field) = true {
+ object[field]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..b41f55e84
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspselinuxv2
+displayName: SELinux V2
+createdAt: "2023-05-23T09:47:32Z"
+description: Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
+digest: 4b123118ccfaccae4f0f895db926a46e41414e58cd779179a0767c6ab216055d
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/selinux
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # SELinux V2
+ Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/constraint.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/constraint.yaml
new file mode 100644
index 000000000..f88bbcd69
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/constraint.yaml
@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPSELinuxV2
+metadata:
+ name: psp-selinux-v2
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ allowedSELinuxOptions:
+ - level: s0:c123,c456
+ role: object_r
+ type: svirt_sandbox_file_t
+ user: system_u
diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..3a35fc737
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/disallowed_ephemeral.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-selinux-disallowed
+ labels:
+ app: nginx-selinux
+spec:
+ ephemeralContainers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ seLinuxOptions:
+ level: s1:c234,c567
+ user: sysadm_u
+ role: sysadm_r
+ type: svirt_lxc_net_t
diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_allowed.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_allowed.yaml
new file mode 100644
index 000000000..4eaf2dc92
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_allowed.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-selinux-allowed
+ labels:
+ app: nginx-selinux
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ seLinuxOptions:
+ level: s0:c123,c456
+ role: object_r
+ type: svirt_sandbox_file_t
+ user: system_u
diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_disallowed.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_disallowed.yaml
new file mode 100644
index 000000000..7eb7fee11
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/example_disallowed.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-selinux-disallowed
+ labels:
+ app: nginx-selinux
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ seLinuxOptions:
+ level: s1:c234,c567
+ user: sysadm_u
+ role: sysadm_r
+ type: svirt_lxc_net_t
diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/update.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/update.yaml
new file mode 100644
index 000000000..581419e9d
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/samples/psp-selinux-v2/update.yaml
@@ -0,0 +1,21 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-selinux-disallowed
+ labels:
+ app: nginx-selinux
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ seLinuxOptions:
+ level: s1:c234,c567
+ user: sysadm_u
+ role: sysadm_r
+ type: svirt_lxc_net_t
diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml
new file mode 100644
index 000000000..1bbaf360e
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/suite.yaml
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: selinux
+tests:
+- name: require-matching-selinux-options
+ template: template.yaml
+ constraint: samples/psp-selinux-v2/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-selinux-v2/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-selinux-v2/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: disallowed-ephemeral
+ object: samples/psp-selinux-v2/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-selinux-v2/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml
new file mode 100644
index 000000000..61729eceb
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/selinux/1.0.1/template.yaml
@@ -0,0 +1,144 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspselinuxv2
+ annotations:
+ metadata.gatekeeper.sh/title: "SELinux V2"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Defines an allow-list of seLinuxOptions configurations for pod
+ containers. Corresponds to a PodSecurityPolicy requiring SELinux configs.
+ For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPSELinuxV2
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Defines an allow-list of seLinuxOptions configurations for pod
+ containers. Corresponds to a PodSecurityPolicy requiring SELinux configs.
+ For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ allowedSELinuxOptions:
+ type: array
+ description: "An allow-list of SELinux options configurations."
+ items:
+ type: object
+ description: "An allowed configuration of SELinux options for a pod container."
+ properties:
+ level:
+ type: string
+ description: "An SELinux level."
+ role:
+ type: string
+ description: "An SELinux role."
+ type:
+ type: string
+ description: "An SELinux type."
+ user:
+ type: string
+ description: "An SELinux user."
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spspselinux
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ # Disallow top level custom SELinux options
+ violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.seLinuxOptions field is immutable.
+ not is_update(input.review)
+
+ has_field(input.review.object.spec.securityContext, "seLinuxOptions")
+ not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions)
+ msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions])
+ }
+ # Disallow container level custom SELinux options
+ violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.seLinuxOptions field is immutable.
+ not is_update(input.review)
+
+ c := input_security_context[_]
+ not is_exempt(c)
+ has_field(c.securityContext, "seLinuxOptions")
+ not input_seLinuxOptions_allowed(c.securityContext.seLinuxOptions)
+ msg := sprintf("SELinux options is not allowed, pod: %v, container %v. Allowed options: %v", [input.review.object.metadata.name, c.name, input.parameters.allowedSELinuxOptions])
+ }
+
+ input_seLinuxOptions_allowed(options) {
+ params := input.parameters.allowedSELinuxOptions[_]
+ field_allowed("level", options, params)
+ field_allowed("role", options, params)
+ field_allowed("type", options, params)
+ field_allowed("user", options, params)
+ }
+
+ field_allowed(field, options, params) {
+ params[field] == options[field]
+ }
+ field_allowed(field, options, params) {
+ not has_field(options, field)
+ }
+
+ input_security_context[c] {
+ c := input.review.object.spec.containers[_]
+ has_field(c.securityContext, "seLinuxOptions")
+ }
+ input_security_context[c] {
+ c := input.review.object.spec.initContainers[_]
+ has_field(c.securityContext, "seLinuxOptions")
+ }
+ input_security_context[c] {
+ c := input.review.object.spec.ephemeralContainers[_]
+ has_field(c.securityContext, "seLinuxOptions")
+ }
+
+ # has_field returns whether an object has a field
+ has_field(object, field) = true {
+ object[field]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..338f2ee94
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/users/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspallowedusers
+displayName: Allowed Users
+createdAt: "2023-05-23T09:47:32Z"
+description: Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
+digest: 4145c820284a655c6dfded52eb983df65e0eb5f76c4086e4edf03cbe6da2caf2
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/users
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Allowed Users
+ Controls the user and group IDs of the container and some volumes. Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and `fsGroup` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/users/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/constraint.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/constraint.yaml
new file mode 100644
index 000000000..e69974578
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/constraint.yaml
@@ -0,0 +1,30 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPAllowedUsers
+metadata:
+ name: psp-pods-allowed-user-ranges
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ runAsUser:
+ rule: MustRunAs # MustRunAsNonRoot # RunAsAny
+ ranges:
+ - min: 100
+ max: 200
+ runAsGroup:
+ rule: MustRunAs # MayRunAs # RunAsAny
+ ranges:
+ - min: 100
+ max: 200
+ supplementalGroups:
+ rule: MustRunAs # MayRunAs # RunAsAny
+ ranges:
+ - min: 100
+ max: 200
+ fsGroup:
+ rule: MustRunAs # MayRunAs # RunAsAny
+ ranges:
+ - min: 100
+ max: 200
diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml
new file mode 100644
index 000000000..6297f0dfd
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-users-disallowed
+ labels:
+ app: nginx-users
+spec:
+ securityContext:
+ supplementalGroups:
+ - 250
+ fsGroup: 250
+ ephemeralContainers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ runAsUser: 250
+ runAsGroup: 250
diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_allowed.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_allowed.yaml
new file mode 100644
index 000000000..79899ed98
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_allowed.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-users-allowed
+ labels:
+ app: nginx-users
+spec:
+ securityContext:
+ supplementalGroups:
+ - 199
+ fsGroup: 199
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ runAsUser: 199
+ runAsGroup: 199
diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_disallowed.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_disallowed.yaml
new file mode 100644
index 000000000..516cce14b
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/example_disallowed.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-users-disallowed
+ labels:
+ app: nginx-users
+spec:
+ securityContext:
+ supplementalGroups:
+ - 250
+ fsGroup: 250
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ runAsUser: 250
+ runAsGroup: 250
diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/update.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/update.yaml
new file mode 100644
index 000000000..6f4d3ed72
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/users/1.0.1/samples/psp-pods-allowed-user-ranges/update.yaml
@@ -0,0 +1,22 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-users-disallowed
+ labels:
+ app: nginx-users
+ spec:
+ securityContext:
+ supplementalGroups:
+ - 250
+ fsGroup: 250
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ runAsUser: 250
+ runAsGroup: 250
diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml
new file mode 100644
index 000000000..5c6e49640
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/users/1.0.1/suite.yaml
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: users
+tests:
+- name: users-and-groups-together
+ template: template.yaml
+ constraint: samples/psp-pods-allowed-user-ranges/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-pods-allowed-user-ranges/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-pods-allowed-user-ranges/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: disallowed-ephemeral
+ object: samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml
+ assertions:
+ - violations: yes
+ - name: update
+ object: samples/psp-pods-allowed-user-ranges/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml
new file mode 100644
index 000000000..1e572443e
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/users/1.0.1/template.yaml
@@ -0,0 +1,292 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspallowedusers
+ annotations:
+ metadata.gatekeeper.sh/title: "Allowed Users"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Controls the user and group IDs of the container and some volumes.
+ Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and
+ `fsGroup` fields in a PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPAllowedUsers
+ validation:
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Controls the user and group IDs of the container and some volumes.
+ Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and
+ `fsGroup` fields in a PodSecurityPolicy. For more information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
+ properties:
+ exemptImages:
+ description: >-
+ Any container that uses an image that matches an entry in this list will be excluded
+ from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+ It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+ in order to avoid unexpectedly exempting images from an untrusted repository.
+ type: array
+ items:
+ type: string
+ runAsUser:
+ type: object
+ description: "Controls which user ID values are allowed in a Pod or container-level SecurityContext."
+ properties:
+ rule:
+ type: string
+ description: "A strategy for applying the runAsUser restriction."
+ enum:
+ - MustRunAs
+ - MustRunAsNonRoot
+ - RunAsAny
+ ranges:
+ type: array
+ description: "A list of user ID ranges affected by the rule."
+ items:
+ type: object
+ description: "The range of user IDs affected by the rule."
+ properties:
+ min:
+ type: integer
+ description: "The minimum user ID in the range, inclusive."
+ max:
+ type: integer
+ description: "The maximum user ID in the range, inclusive."
+ runAsGroup:
+ type: object
+ description: "Controls which group ID values are allowed in a Pod or container-level SecurityContext."
+ properties:
+ rule:
+ type: string
+ description: "A strategy for applying the runAsGroup restriction."
+ enum:
+ - MustRunAs
+ - MayRunAs
+ - RunAsAny
+ ranges:
+ type: array
+ description: "A list of group ID ranges affected by the rule."
+ items:
+ type: object
+ description: "The range of group IDs affected by the rule."
+ properties:
+ min:
+ type: integer
+ description: "The minimum group ID in the range, inclusive."
+ max:
+ type: integer
+ description: "The maximum group ID in the range, inclusive."
+ supplementalGroups:
+ type: object
+ description: "Controls the supplementalGroups values that are allowed in a Pod or container-level SecurityContext."
+ properties:
+ rule:
+ type: string
+ description: "A strategy for applying the supplementalGroups restriction."
+ enum:
+ - MustRunAs
+ - MayRunAs
+ - RunAsAny
+ ranges:
+ type: array
+ description: "A list of group ID ranges affected by the rule."
+ items:
+ type: object
+ description: "The range of group IDs affected by the rule."
+ properties:
+ min:
+ type: integer
+ description: "The minimum group ID in the range, inclusive."
+ max:
+ type: integer
+ description: "The maximum group ID in the range, inclusive."
+ fsGroup:
+ type: object
+ description: "Controls the fsGroup values that are allowed in a Pod or container-level SecurityContext."
+ properties:
+ rule:
+ type: string
+ description: "A strategy for applying the fsGroup restriction."
+ enum:
+ - MustRunAs
+ - MayRunAs
+ - RunAsAny
+ ranges:
+ type: array
+ description: "A list of group ID ranges affected by the rule."
+ items:
+ type: object
+ description: "The range of group IDs affected by the rule."
+ properties:
+ min:
+ type: integer
+ description: "The minimum group ID in the range, inclusive."
+ max:
+ type: integer
+ description: "The maximum group ID in the range, inclusive."
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spspallowedusers
+
+ import data.lib.exclude_update.is_update
+ import data.lib.exempt_container.is_exempt
+
+ violation[{"msg": msg}] {
+ # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable.
+ not is_update(input.review)
+
+ fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"]
+ field := fields[_]
+ container := input_containers[_]
+ not is_exempt(container)
+ msg := get_type_violation(field, container)
+ }
+
+ get_type_violation(field, container) = msg {
+ field == "runAsUser"
+ params := input.parameters[field]
+ msg := get_user_violation(params, container)
+ }
+
+ get_type_violation(field, container) = msg {
+ field != "runAsUser"
+ params := input.parameters[field]
+ msg := get_violation(field, params, container)
+ }
+
+ # RunAsUser (separate due to "MustRunAsNonRoot")
+ get_user_violation(params, container) = msg {
+ rule := params.rule
+ provided_user := get_field_value("runAsUser", container, input.review)
+ not accept_users(rule, provided_user)
+ msg := sprintf("Container %v is attempting to run as disallowed user %v. Allowed runAsUser: %v", [container.name, provided_user, params])
+ }
+
+ get_user_violation(params, container) = msg {
+ not get_field_value("runAsUser", container, input.review)
+ params.rule = "MustRunAs"
+ msg := sprintf("Container %v is attempting to run without a required securityContext/runAsUser", [container.name])
+ }
+
+ get_user_violation(params, container) = msg {
+ params.rule = "MustRunAsNonRoot"
+ not get_field_value("runAsUser", container, input.review)
+ not get_field_value("runAsNonRoot", container, input.review)
+ msg := sprintf("Container %v is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", [container.name])
+ }
+
+ accept_users("RunAsAny", provided_user) {true}
+
+ accept_users("MustRunAsNonRoot", provided_user) = res {res := provided_user != 0}
+
+ accept_users("MustRunAs", provided_user) = res {
+ ranges := input.parameters.runAsUser.ranges
+ res := is_in_range(provided_user, ranges)
+ }
+
+ # Group Options
+ get_violation(field, params, container) = msg {
+ rule := params.rule
+ provided_value := get_field_value(field, container, input.review)
+ not is_array(provided_value)
+ not accept_value(rule, provided_value, params.ranges)
+ msg := sprintf("Container %v is attempting to run as disallowed group %v. Allowed %v: %v", [container.name, provided_value, field, params])
+ }
+ # SupplementalGroups is array value
+ get_violation(field, params, container) = msg {
+ rule := params.rule
+ array_value := get_field_value(field, container, input.review)
+ is_array(array_value)
+ provided_value := array_value[_]
+ not accept_value(rule, provided_value, params.ranges)
+ msg := sprintf("Container %v is attempting to run with disallowed supplementalGroups %v. Allowed %v: %v", [container.name, array_value, field, params])
+ }
+
+ get_violation(field, params, container) = msg {
+ not get_field_value(field, container, input.review)
+ params.rule == "MustRunAs"
+ msg := sprintf("Container %v is attempting to run without a required securityContext/%v. Allowed %v: %v", [container.name, field, field, params])
+ }
+
+ accept_value("RunAsAny", provided_value, ranges) {true}
+
+ accept_value("MayRunAs", provided_value, ranges) = res { res := is_in_range(provided_value, ranges)}
+
+ accept_value("MustRunAs", provided_value, ranges) = res { res := is_in_range(provided_value, ranges)}
+
+
+ # If container level is provided, that takes precedence
+ get_field_value(field, container, review) = out {
+ container_value := get_seccontext_field(field, container)
+ out := container_value
+ }
+
+ # If no container level exists, use pod level
+ get_field_value(field, container, review) = out {
+ not has_seccontext_field(field, container)
+ review.kind.kind == "Pod"
+ pod_value := get_seccontext_field(field, review.object.spec)
+ out := pod_value
+ }
+
+ # Helper Functions
+ is_in_range(val, ranges) = res {
+ matching := {1 | val >= ranges[j].min; val <= ranges[j].max}
+ res := count(matching) > 0
+ }
+
+ has_seccontext_field(field, obj) {
+ get_seccontext_field(field, obj)
+ }
+
+ has_seccontext_field(field, obj) {
+ get_seccontext_field(field, obj) == false
+ }
+
+ get_seccontext_field(field, obj) = out {
+ out = obj.securityContext[field]
+ }
+
+ input_containers[c] {
+ c := input.review.object.spec.containers[_]
+ }
+ input_containers[c] {
+ c := input.review.object.spec.initContainers[_]
+ }
+ input_containers[c] {
+ c := input.review.object.spec.ephemeralContainers[_]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
+ - |
+ package lib.exempt_container
+
+ is_exempt(container) {
+ exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+ img := container.image
+ exemption := exempt_images[_]
+ _matches_exemption(img, exemption)
+ }
+
+ _matches_exemption(img, exemption) {
+ not endswith(exemption, "*")
+ exemption == img
+ }
+
+ _matches_exemption(img, exemption) {
+ endswith(exemption, "*")
+ prefix := trim_suffix(exemption, "*")
+ startswith(img, prefix)
+ }
diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml
new file mode 100644
index 000000000..2630a20fc
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8spspvolumetypes
+displayName: Volume Types
+createdAt: "2023-05-23T09:47:32Z"
+description: Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+digest: 95c71f8cfca302fcc4a122dc7f824884ea1f58d0f13b321b9f00a7976272764e
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/volumes
+keywords:
+ - gatekeeper
+ - open-policy-agent
+ - policies
+readme: |-
+ # Volume Types
+ Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+install: |-
+ ### Usage
+ ```shell
+ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml
+ ```
+provider:
+ name: Gatekeeper Library
diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/kustomization.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/kustomization.yaml
new file mode 100644
index 000000000..7d70d11b7
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+ - template.yaml
diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/constraint.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/constraint.yaml
new file mode 100644
index 000000000..0638df7cb
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/constraint.yaml
@@ -0,0 +1,20 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPVolumeTypes
+metadata:
+ name: psp-volume-types
+spec:
+ match:
+ kinds:
+ - apiGroups: [""]
+ kinds: ["Pod"]
+ parameters:
+ volumes:
+ # - "*" # * may be used to allow all volume types
+ - configMap
+ - emptyDir
+ - projected
+ - secret
+ - downwardAPI
+ - persistentVolumeClaim
+ #- hostPath #required for allowedHostPaths
+ - flexVolume #required for allowedFlexVolumes
diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_allowed.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_allowed.yaml
new file mode 100644
index 000000000..df6251e7d
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_allowed.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-volume-types-allowed
+ labels:
+ app: nginx-volume-types
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ - name: nginx2
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache2
+ name: demo-vol
+ volumes:
+ - name: cache-volume
+ emptyDir: {}
+ - name: demo-vol
+ emptyDir: {}
diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_disallowed.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_disallowed.yaml
new file mode 100644
index 000000000..562cf59d8
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/example_disallowed.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-volume-types-disallowed
+ labels:
+ app: nginx-volume-types
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ - name: nginx2
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache2
+ name: demo-vol
+ volumes:
+ - name: cache-volume
+ hostPath:
+ path: /tmp # directory location on host
+ - name: demo-vol
+ emptyDir: {}
diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/update.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/update.yaml
new file mode 100644
index 000000000..f25f07267
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/samples/psp-volume-types/update.yaml
@@ -0,0 +1,29 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-volume-types-disallowed
+ labels:
+ app: nginx-volume-types
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ - name: nginx2
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache2
+ name: demo-vol
+ volumes:
+ - name: cache-volume
+ hostPath:
+ path: /tmp # directory location on host
+ - name: demo-vol
+ emptyDir: {}
diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml
new file mode 100644
index 000000000..083aad6eb
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/suite.yaml
@@ -0,0 +1,21 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+ name: volumes
+tests:
+- name: host-path-disallowed
+ template: template.yaml
+ constraint: samples/psp-volume-types/constraint.yaml
+ cases:
+ - name: example-disallowed
+ object: samples/psp-volume-types/example_disallowed.yaml
+ assertions:
+ - violations: yes
+ - name: example-allowed
+ object: samples/psp-volume-types/example_allowed.yaml
+ assertions:
+ - violations: no
+ - name: update
+ object: samples/psp-volume-types/update.yaml
+ assertions:
+ - violations: no
diff --git a/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml b/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml
new file mode 100644
index 000000000..458cb3178
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/volumes/1.0.1/template.yaml
@@ -0,0 +1,64 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+ name: k8spspvolumetypes
+ annotations:
+ metadata.gatekeeper.sh/title: "Volume Types"
+ metadata.gatekeeper.sh/version: 1.0.1
+ description: >-
+ Restricts mountable volume types to those specified by the user.
+ Corresponds to the `volumes` field in a PodSecurityPolicy. For more
+ information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sPSPVolumeTypes
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ type: object
+ description: >-
+ Restricts mountable volume types to those specified by the user.
+ Corresponds to the `volumes` field in a PodSecurityPolicy. For more
+ information, see
+ https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+ properties:
+ volumes:
+ description: "`volumes` is an array of volume types. All volume types can be enabled using `*`."
+ type: array
+ items:
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8spspvolumetypes
+
+ import data.lib.exclude_update.is_update
+
+ violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
+ volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"}
+ field := volume_fields[_]
+ not input_volume_type_allowed(field)
+ msg := sprintf("The volume type %v is not allowed, pod: %v. Allowed volume types: %v", [field, input.review.object.metadata.name, input.parameters.volumes])
+ }
+
+ # * may be used to allow all volume types
+ input_volume_type_allowed(field) {
+ input.parameters.volumes[_] == "*"
+ }
+
+ input_volume_type_allowed(field) {
+ field == input.parameters.volumes[_]
+ }
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml b/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml
new file mode 100644
index 000000000..0e9030f27
--- /dev/null
+++ b/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml
@@ -0,0 +1,16 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-automountserviceaccounttoken-update
+ labels:
+ app: nginx-automountserviceaccounttoken
+ spec:
+ automountServiceAccountToken: true
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/library/general/automount-serviceaccount-token/suite.yaml b/library/general/automount-serviceaccount-token/suite.yaml
index 2cbc9064f..cf257d08f 100644
--- a/library/general/automount-serviceaccount-token/suite.yaml
+++ b/library/general/automount-serviceaccount-token/suite.yaml
@@ -15,3 +15,7 @@ tests:
object: samples/automount-serviceaccount-token/example_disallowed.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/automount-serviceaccount-token/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/general/automount-serviceaccount-token/template.yaml b/library/general/automount-serviceaccount-token/template.yaml
index c9f87c42f..82e69ff9c 100644
--- a/library/general/automount-serviceaccount-token/template.yaml
+++ b/library/general/automount-serviceaccount-token/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspautomountserviceaccounttokenpod
annotations:
metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the ability of any Pod to enable automountServiceAccountToken.
spec:
@@ -22,7 +22,12 @@ spec:
rego: |
package k8sautomountserviceaccounttoken
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg}] {
+ # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable.
+ not is_update(input.review)
+
obj := input.review.object
mountServiceAccountToken(obj.spec)
msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name])
@@ -52,3 +57,10 @@ spec:
has_key(x, k) {
_ = x[k]
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml b/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml
new file mode 100644
index 000000000..c0ff27893
--- /dev/null
+++ b/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml
@@ -0,0 +1,24 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: opa-allowed
+ labels:
+ owner: me.agilebank.demo
+ spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "1Gi"
+ ephemeral-storage: "1Pi"
diff --git a/library/general/ephemeralstoragelimit/suite.yaml b/library/general/ephemeralstoragelimit/suite.yaml
index f76b15f06..a6b99410d 100644
--- a/library/general/ephemeralstoragelimit/suite.yaml
+++ b/library/general/ephemeralstoragelimit/suite.yaml
@@ -27,3 +27,7 @@ tests:
object: samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
assertions:
- violations: yes
+ - name: ephemeral-storage-limit-update
+ object: samples/container-must-have-ephemeral-storage-limit/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/general/ephemeralstoragelimit/template.yaml b/library/general/ephemeralstoragelimit/template.yaml
index 5362e5ffd..2f7bf1b2b 100644
--- a/library/general/ephemeralstoragelimit/template.yaml
+++ b/library/general/ephemeralstoragelimit/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8scontainerephemeralstoragelimit
annotations:
metadata.gatekeeper.sh/title: "Container ephemeral storage limit"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Requires containers to have an ephemeral storage limit set and constrains
the limit to be within the specified maximum values.
@@ -38,6 +38,7 @@ spec:
rego: |
package k8scontainerephemeralstoragelimit
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
missing(obj, field) = true {
@@ -150,10 +151,14 @@ spec:
}
violation[{"msg": msg}] {
+ # spec.containers.resources.limits["ephemeral-storage"] field is immutable.
+ not is_update(input.review)
+
general_violation[{"msg": msg, "field": "containers"}]
}
violation[{"msg": msg}] {
+ not is_update(input.review)
general_violation[{"msg": msg, "field": "initContainers"}]
}
@@ -199,6 +204,12 @@ spec:
msg := sprintf("container <%v> ephemeral-storage limit <%v> is higher than the maximum allowed of <%v>", [container.name, storage_orig, max_storage_orig])
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
diff --git a/library/general/requiredprobes/samples/must-have-probes/update.yaml b/library/general/requiredprobes/samples/must-have-probes/update.yaml
new file mode 100644
index 000000000..ff5e91103
--- /dev/null
+++ b/library/general/requiredprobes/samples/must-have-probes/update.yaml
@@ -0,0 +1,35 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: test-pod1
+ spec:
+ containers:
+ - name: nginx-1
+ image: nginx:1.7.9
+ ports:
+ - containerPort: 80
+ livenessProbe:
+ # tcpSocket:
+ # port: 80
+ # initialDelaySeconds: 5
+ # periodSeconds: 10
+ volumeMounts:
+ - mountPath: /tmp/cache
+ name: cache-volume
+ - name: tomcat
+ image: tomcat
+ ports:
+ - containerPort: 8080
+ readinessProbe:
+ tcpSocket:
+ port: 8080
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ volumes:
+ - name: cache-volume
+ emptyDir: {}
diff --git a/library/general/requiredprobes/suite.yaml b/library/general/requiredprobes/suite.yaml
index 8e8629a92..86c2a229e 100644
--- a/library/general/requiredprobes/suite.yaml
+++ b/library/general/requiredprobes/suite.yaml
@@ -19,3 +19,7 @@ tests:
object: samples/must-have-probes/example_disallowed2.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/must-have-probes/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/general/requiredprobes/template.yaml b/library/general/requiredprobes/template.yaml
index 26417b101..4115a6d98 100644
--- a/library/general/requiredprobes/template.yaml
+++ b/library/general/requiredprobes/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8srequiredprobes
annotations:
metadata.gatekeeper.sh/title: "Required Probes"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: Requires Pods to have readiness and/or liveness probes.
spec:
crd:
@@ -30,11 +30,16 @@ spec:
rego: |
package k8srequiredprobes
+ import data.lib.exclude_update.is_update
+
probe_type_set = probe_types {
probe_types := {type | type := input.parameters.probeTypes[_]}
}
violation[{"msg": msg}] {
+ # Probe fields are immutable.
+ not is_update(input.review)
+
container := input.review.object.spec.containers[_]
probe := input.parameters.probes[_]
probe_is_missing(container, probe)
@@ -58,3 +63,10 @@ spec:
get_violation_message(container, review, probe) = msg {
msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe])
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml b/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml
new file mode 100644
index 000000000..a79d40a1b
--- /dev/null
+++ b/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-privilege-escalation-disallowed
+ labels:
+ app: nginx-privilege-escalation
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ allowPrivilegeEscalation: true
diff --git a/library/pod-security-policy/allow-privilege-escalation/suite.yaml b/library/pod-security-policy/allow-privilege-escalation/suite.yaml
index 0c65f18f7..cd7531cfa 100644
--- a/library/pod-security-policy/allow-privilege-escalation/suite.yaml
+++ b/library/pod-security-policy/allow-privilege-escalation/suite.yaml
@@ -19,3 +19,7 @@ tests:
object: samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/psp-allow-privilege-escalation-container/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/allow-privilege-escalation/template.yaml b/library/pod-security-policy/allow-privilege-escalation/template.yaml
index c473e2731..a7f4694a2 100644
--- a/library/pod-security-policy/allow-privilege-escalation/template.yaml
+++ b/library/pod-security-policy/allow-privilege-escalation/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspallowprivilegeescalationcontainer
annotations:
metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls restricting escalation to root privileges. Corresponds to the
`allowPrivilegeEscalation` field in a PodSecurityPolicy. For more
@@ -39,9 +39,13 @@ spec:
rego: |
package k8spspallowprivilegeescalationcontainer
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.allowPrivilegeEscalation field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
input_allow_privilege_escalation(c)
@@ -68,6 +72,12 @@ spec:
object[field]
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
diff --git a/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml b/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml
new file mode 100644
index 000000000..df8ea0070
--- /dev/null
+++ b/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml
@@ -0,0 +1,26 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: opa-disallowed
+ labels:
+ owner: me.agilebank.demo
+ spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ securityContext:
+ capabilities:
+ add: ["disallowedcapability"]
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "30Mi"
diff --git a/library/pod-security-policy/capabilities/suite.yaml b/library/pod-security-policy/capabilities/suite.yaml
index 8f7386e1c..48c2fcb46 100644
--- a/library/pod-security-policy/capabilities/suite.yaml
+++ b/library/pod-security-policy/capabilities/suite.yaml
@@ -19,3 +19,7 @@ tests:
object: samples/capabilities-demo/disallowed_ephemeral.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/capabilities-demo/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/capabilities/template.yaml b/library/pod-security-policy/capabilities/template.yaml
index f645e3765..0df32e927 100644
--- a/library/pod-security-policy/capabilities/template.yaml
+++ b/library/pod-security-policy/capabilities/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspcapabilities
annotations:
metadata.gatekeeper.sh/title: "Capabilities"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls Linux capabilities on containers. Corresponds to the
`allowedCapabilities` and `requiredDropCapabilities` fields in a
@@ -50,9 +50,13 @@ spec:
rego: |
package capabilities
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg}] {
+ # spec.containers.securityContext.capabilities field is immutable.
+ not is_update(input.review)
+
container := input.review.object.spec.containers[_]
not is_exempt(container)
has_disallowed_capabilities(container)
@@ -60,6 +64,7 @@ spec:
}
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.containers[_]
not is_exempt(container)
missing_drop_capabilities(container)
@@ -69,6 +74,7 @@ spec:
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.initContainers[_]
not is_exempt(container)
has_disallowed_capabilities(container)
@@ -76,6 +82,7 @@ spec:
}
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.initContainers[_]
not is_exempt(container)
missing_drop_capabilities(container)
@@ -85,6 +92,7 @@ spec:
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.ephemeralContainers[_]
not is_exempt(container)
has_disallowed_capabilities(container)
@@ -92,6 +100,7 @@ spec:
}
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.ephemeralContainers[_]
not is_exempt(container)
missing_drop_capabilities(container)
@@ -126,6 +135,12 @@ spec:
out = _default
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
diff --git a/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml b/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml
new file mode 100644
index 000000000..9358c6c5c
--- /dev/null
+++ b/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml
@@ -0,0 +1,23 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-flexvolume-driver-disallowed
+ labels:
+ app: nginx-flexvolume-driver
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /test
+ name: test-volume
+ readOnly: true
+ volumes:
+ - name: test-volume
+ flexVolume:
+ driver: "example/testdriver" #"example/lvm"
diff --git a/library/pod-security-policy/flexvolume-drivers/suite.yaml b/library/pod-security-policy/flexvolume-drivers/suite.yaml
index 1f4a4ef75..fe69966bd 100644
--- a/library/pod-security-policy/flexvolume-drivers/suite.yaml
+++ b/library/pod-security-policy/flexvolume-drivers/suite.yaml
@@ -15,3 +15,7 @@ tests:
object: samples/psp-flexvolume-drivers/example_disallowed.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/psp-flexvolume-drivers/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/flexvolume-drivers/template.yaml b/library/pod-security-policy/flexvolume-drivers/template.yaml
index 7cb53e11f..c059681c9 100644
--- a/library/pod-security-policy/flexvolume-drivers/template.yaml
+++ b/library/pod-security-policy/flexvolume-drivers/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspflexvolumes
annotations:
metadata.gatekeeper.sh/title: "FlexVolumes"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the allowlist of FlexVolume drivers. Corresponds to the
`allowedFlexVolumes` field in PodSecurityPolicy. For more information,
@@ -39,7 +39,12 @@ spec:
rego: |
package k8spspflexvolumes
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
volume := input_flexvolumes[_]
not input_flexvolumes_allowed(volume)
msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes])
@@ -58,3 +63,10 @@ spec:
has_field(object, field) = true {
object[field]
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml
new file mode 100644
index 000000000..e4e732be9
--- /dev/null
+++ b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml
@@ -0,0 +1,21 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-forbidden-sysctls-disallowed
+ labels:
+ app: nginx-forbidden-sysctls
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ sysctls:
+ - name: kernel.msgmax
+ value: "65536"
+ - name: net.core.somaxconn
+ value: "1024"
diff --git a/library/pod-security-policy/forbidden-sysctls/suite.yaml b/library/pod-security-policy/forbidden-sysctls/suite.yaml
index bcc4caaae..d00f85b8b 100644
--- a/library/pod-security-policy/forbidden-sysctls/suite.yaml
+++ b/library/pod-security-policy/forbidden-sysctls/suite.yaml
@@ -15,3 +15,7 @@ tests:
object: samples/psp-forbidden-sysctls/example_allowed.yaml
assertions:
- violations: no
+ - name: update
+ object: samples/psp-forbidden-sysctls/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/forbidden-sysctls/template.yaml b/library/pod-security-policy/forbidden-sysctls/template.yaml
index 1e6ee7f25..3d3c1d9a0 100644
--- a/library/pod-security-policy/forbidden-sysctls/template.yaml
+++ b/library/pod-security-policy/forbidden-sysctls/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspforbiddensysctls
annotations:
metadata.gatekeeper.sh/title: "Forbidden Sysctls"
- metadata.gatekeeper.sh/version: 1.1.1
+ metadata.gatekeeper.sh/version: 1.1.2
description: >-
Controls the `sysctl` profile used by containers. Corresponds to the
`allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy.
@@ -42,8 +42,13 @@ spec:
rego: |
package k8spspforbiddensysctls
+ import data.lib.exclude_update.is_update
+
# Block if forbidden
violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.sysctls field is immutable.
+ not is_update(input.review)
+
sysctl := input.review.object.spec.securityContext.sysctls[_].name
forbidden_sysctl(sysctl)
msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls])
@@ -51,6 +56,7 @@ spec:
# Block if not explicitly allowed
violation[{"msg": msg, "details": {}}] {
+ not is_update(input.review)
sysctl := input.review.object.spec.securityContext.sysctls[_].name
not allowed_sysctl(sysctl)
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
@@ -85,3 +91,10 @@ spec:
endswith(allowed, "*")
startswith(sysctl, trim_suffix(allowed, "*"))
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml b/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml
new file mode 100644
index 000000000..c0de7258a
--- /dev/null
+++ b/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml
@@ -0,0 +1,22 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: fsgroup-disallowed
+ spec:
+ securityContext:
+ fsGroup: 2000 # directory will have group ID 2000
+ volumes:
+ - name: fsgroup-demo-vol
+ emptyDir: {}
+ containers:
+ - name: fsgroup-demo
+ image: busybox
+ command: [ "sh", "-c", "sleep 1h" ]
+ volumeMounts:
+ - name: fsgroup-demo-vol
+ mountPath: /data/demo
diff --git a/library/pod-security-policy/fsgroup/suite.yaml b/library/pod-security-policy/fsgroup/suite.yaml
index f24cb6a35..cb102e785 100644
--- a/library/pod-security-policy/fsgroup/suite.yaml
+++ b/library/pod-security-policy/fsgroup/suite.yaml
@@ -15,3 +15,7 @@ tests:
object: samples/psp-fsgroup/example_allowed.yaml
assertions:
- violations: no
+ - name: update
+ object: samples/psp-fsgroup/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/fsgroup/template.yaml b/library/pod-security-policy/fsgroup/template.yaml
index 0839855e2..d3f56af81 100644
--- a/library/pod-security-policy/fsgroup/template.yaml
+++ b/library/pod-security-policy/fsgroup/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspfsgroup
annotations:
metadata.gatekeeper.sh/title: "FS Group"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls allocating an FSGroup that owns the Pod's volumes. Corresponds
to the `fsGroup` field in a PodSecurityPolicy. For more information, see
@@ -47,7 +47,12 @@ spec:
rego: |
package k8spspfsgroup
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.fsGroup field is immutable.
+ not is_update(input.review)
+
spec := input.review.object.spec
not input_fsGroup_allowed(spec)
msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters])
@@ -91,3 +96,10 @@ spec:
has_field(object, field) = true {
object[field]
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml b/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml
new file mode 100644
index 000000000..68b28a536
--- /dev/null
+++ b/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml
@@ -0,0 +1,23 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-host-filesystem
+ labels:
+ app: nginx-host-filesystem-disallowed
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ readOnly: true
+ volumes:
+ - name: cache-volume
+ hostPath:
+ path: /tmp # directory location on host
diff --git a/library/pod-security-policy/host-filesystem/suite.yaml b/library/pod-security-policy/host-filesystem/suite.yaml
index ec28e4ffc..5441df8cc 100644
--- a/library/pod-security-policy/host-filesystem/suite.yaml
+++ b/library/pod-security-policy/host-filesystem/suite.yaml
@@ -19,3 +19,7 @@ tests:
object: samples/psp-host-filesystem/disallowed_ephemeral.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/psp-host-filesystem/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/host-filesystem/template.yaml b/library/pod-security-policy/host-filesystem/template.yaml
index c61305e91..2ef796fd4 100644
--- a/library/pod-security-policy/host-filesystem/template.yaml
+++ b/library/pod-security-policy/host-filesystem/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spsphostfilesystem
annotations:
metadata.gatekeeper.sh/title: "Host Filesystem"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls usage of the host filesystem. Corresponds to the
`allowedHostPaths` field in a PodSecurityPolicy. For more information,
@@ -42,7 +42,12 @@ spec:
rego: |
package k8spsphostfilesystem
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
volume := input_hostpath_volumes[_]
allowedPaths := get_allowed_paths(input)
input_hostpath_violation(allowedPaths, volume)
@@ -134,3 +139,10 @@ spec:
input_containers[c] {
c := input.review.object.spec.ephemeralContainers[_]
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml b/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml
new file mode 100644
index 000000000..29e17f13a
--- /dev/null
+++ b/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-host-namespace-disallowed
+ labels:
+ app: nginx-host-namespace
+ spec:
+ hostPID: true
+ hostIPC: true
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/library/pod-security-policy/host-namespaces/suite.yaml b/library/pod-security-policy/host-namespaces/suite.yaml
index d274351ff..b8e853d5f 100644
--- a/library/pod-security-policy/host-namespaces/suite.yaml
+++ b/library/pod-security-policy/host-namespaces/suite.yaml
@@ -15,3 +15,7 @@ tests:
object: samples/psp-host-namespace/example_disallowed.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/psp-host-namespace/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/host-namespaces/template.yaml b/library/pod-security-policy/host-namespaces/template.yaml
index 0f84e3481..a8b87e419 100644
--- a/library/pod-security-policy/host-namespaces/template.yaml
+++ b/library/pod-security-policy/host-namespaces/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spsphostnamespace
annotations:
metadata.gatekeeper.sh/title: "Host Namespace"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Disallows sharing of host PID and IPC namespaces by pod containers.
Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
@@ -29,7 +29,12 @@ spec:
rego: |
package k8spsphostnamespace
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.hostPID and spec.hostIPC fields are immutable.
+ not is_update(input.review)
+
input_share_hostnamespace(input.review.object)
msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
}
@@ -40,3 +45,10 @@ spec:
input_share_hostnamespace(o) {
o.spec.hostIPC
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml
new file mode 100644
index 000000000..231096430
--- /dev/null
+++ b/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml
@@ -0,0 +1,19 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-host-networking-ports-disallowed
+ labels:
+ app: nginx-host-networking-ports
+ spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
diff --git a/library/pod-security-policy/host-network-ports/suite.yaml b/library/pod-security-policy/host-network-ports/suite.yaml
index 86593fc9d..710df69eb 100644
--- a/library/pod-security-policy/host-network-ports/suite.yaml
+++ b/library/pod-security-policy/host-network-ports/suite.yaml
@@ -19,3 +19,7 @@ tests:
object: samples/psp-host-network-ports/disallowed_ephemeral.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/psp-host-network-ports/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/host-network-ports/template.yaml b/library/pod-security-policy/host-network-ports/template.yaml
index 12cbe960e..31a9d9e56 100644
--- a/library/pod-security-policy/host-network-ports/template.yaml
+++ b/library/pod-security-policy/host-network-ports/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spsphostnetworkingports
annotations:
metadata.gatekeeper.sh/title: "Host Networking Ports"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls usage of host network namespace by pod containers. Specific
ports must be specified. Corresponds to the `hostNetwork` and
@@ -49,9 +49,13 @@ spec:
rego: |
package k8spsphostnetworkingports
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.hostNetwork field is immutable.
+ not is_update(input.review)
+
input_share_hostnetwork(input.review.object)
msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters])
}
@@ -86,6 +90,12 @@ spec:
not is_exempt(c)
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
diff --git a/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml
new file mode 100644
index 000000000..08f36044c
--- /dev/null
+++ b/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-privileged-disallowed
+ labels:
+ app: nginx-privileged
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ privileged: true
diff --git a/library/pod-security-policy/privileged-containers/suite.yaml b/library/pod-security-policy/privileged-containers/suite.yaml
index 593f96015..c2e484fc5 100644
--- a/library/pod-security-policy/privileged-containers/suite.yaml
+++ b/library/pod-security-policy/privileged-containers/suite.yaml
@@ -19,3 +19,7 @@ tests:
object: samples/psp-privileged-container/disallowed_ephemeral.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/psp-privileged-container/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/privileged-containers/template.yaml b/library/pod-security-policy/privileged-containers/template.yaml
index e1434ebdd..c552c193d 100644
--- a/library/pod-security-policy/privileged-containers/template.yaml
+++ b/library/pod-security-policy/privileged-containers/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspprivilegedcontainer
annotations:
metadata.gatekeeper.sh/title: "Privileged Container"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
@@ -39,9 +39,13 @@ spec:
rego: |
package k8spspprivileged
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.privileged field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
c.securityContext.privileged
@@ -60,6 +64,12 @@ spec:
c := input.review.object.spec.ephemeralContainers[_]
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
diff --git a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml
new file mode 100644
index 000000000..dc21b1142
--- /dev/null
+++ b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-proc-mount-disallowed
+ labels:
+ app: nginx-proc-mount
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ procMount: Unmasked #Default
diff --git a/library/pod-security-policy/proc-mount/suite.yaml b/library/pod-security-policy/proc-mount/suite.yaml
index 26dd5eb0a..501493e14 100644
--- a/library/pod-security-policy/proc-mount/suite.yaml
+++ b/library/pod-security-policy/proc-mount/suite.yaml
@@ -19,3 +19,7 @@ tests:
object: samples/psp-proc-mount/disallowed_ephemeral.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/psp-proc-mount/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/proc-mount/template.yaml b/library/pod-security-policy/proc-mount/template.yaml
index 1f238a7d3..bbf2244da 100644
--- a/library/pod-security-policy/proc-mount/template.yaml
+++ b/library/pod-security-policy/proc-mount/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspprocmount
annotations:
metadata.gatekeeper.sh/title: "Proc Mount"
- metadata.gatekeeper.sh/version: 1.0.1
+ metadata.gatekeeper.sh/version: 1.0.2
description: >-
Controls the allowed `procMount` types for the container. Corresponds to
the `allowedProcMountTypes` field in a PodSecurityPolicy. For more
@@ -50,9 +50,13 @@ spec:
rego: |
package k8spspprocmount
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.procMount field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
allowedProcMount := get_allowed_proc_mount(input)
@@ -106,6 +110,12 @@ spec:
lower(str) == "unmasked"
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
diff --git a/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml b/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml
new file mode 100644
index 000000000..b31ae5e3a
--- /dev/null
+++ b/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml
@@ -0,0 +1,17 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-readonlyrootfilesystem-disallowed
+ labels:
+ app: nginx-readonlyrootfilesystem
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ readOnlyRootFilesystem: false
diff --git a/library/pod-security-policy/read-only-root-filesystem/suite.yaml b/library/pod-security-policy/read-only-root-filesystem/suite.yaml
index 4df3de82f..db736886f 100644
--- a/library/pod-security-policy/read-only-root-filesystem/suite.yaml
+++ b/library/pod-security-policy/read-only-root-filesystem/suite.yaml
@@ -19,3 +19,7 @@ tests:
object: samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/psp-readonlyrootfilesystem/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/read-only-root-filesystem/template.yaml b/library/pod-security-policy/read-only-root-filesystem/template.yaml
index a98ab0094..bca12eeae 100644
--- a/library/pod-security-policy/read-only-root-filesystem/template.yaml
+++ b/library/pod-security-policy/read-only-root-filesystem/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspreadonlyrootfilesystem
annotations:
metadata.gatekeeper.sh/title: "Read Only Root Filesystem"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Requires the use of a read-only root file system by pod containers.
Corresponds to the `readOnlyRootFilesystem` field in a
@@ -40,9 +40,13 @@ spec:
rego: |
package k8spspreadonlyrootfilesystem
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.readOnlyRootFilesystem field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
input_read_only_root_fs(c)
@@ -71,6 +75,12 @@ spec:
object[field]
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
diff --git a/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml b/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml
new file mode 100644
index 000000000..581419e9d
--- /dev/null
+++ b/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml
@@ -0,0 +1,21 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-selinux-disallowed
+ labels:
+ app: nginx-selinux
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ seLinuxOptions:
+ level: s1:c234,c567
+ user: sysadm_u
+ role: sysadm_r
+ type: svirt_lxc_net_t
diff --git a/library/pod-security-policy/selinux/suite.yaml b/library/pod-security-policy/selinux/suite.yaml
index f35a2f6a7..1bbaf360e 100644
--- a/library/pod-security-policy/selinux/suite.yaml
+++ b/library/pod-security-policy/selinux/suite.yaml
@@ -19,3 +19,7 @@ tests:
object: samples/psp-selinux-v2/disallowed_ephemeral.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/psp-selinux-v2/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/selinux/template.yaml b/library/pod-security-policy/selinux/template.yaml
index fff3cda75..61729eceb 100644
--- a/library/pod-security-policy/selinux/template.yaml
+++ b/library/pod-security-policy/selinux/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspselinuxv2
annotations:
metadata.gatekeeper.sh/title: "SELinux V2"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Defines an allow-list of seLinuxOptions configurations for pod
containers. Corresponds to a PodSecurityPolicy requiring SELinux configs.
@@ -59,16 +59,23 @@ spec:
rego: |
package k8spspselinux
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
# Disallow top level custom SELinux options
violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.seLinuxOptions field is immutable.
+ not is_update(input.review)
+
has_field(input.review.object.spec.securityContext, "seLinuxOptions")
not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions)
msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions])
}
# Disallow container level custom SELinux options
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.seLinuxOptions field is immutable.
+ not is_update(input.review)
+
c := input_security_context[_]
not is_exempt(c)
has_field(c.securityContext, "seLinuxOptions")
@@ -109,6 +116,12 @@ spec:
object[field]
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
diff --git a/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml b/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml
new file mode 100644
index 000000000..6f4d3ed72
--- /dev/null
+++ b/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml
@@ -0,0 +1,22 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-users-disallowed
+ labels:
+ app: nginx-users
+ spec:
+ securityContext:
+ supplementalGroups:
+ - 250
+ fsGroup: 250
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ runAsUser: 250
+ runAsGroup: 250
diff --git a/library/pod-security-policy/users/suite.yaml b/library/pod-security-policy/users/suite.yaml
index 20528f68c..5c6e49640 100644
--- a/library/pod-security-policy/users/suite.yaml
+++ b/library/pod-security-policy/users/suite.yaml
@@ -19,3 +19,7 @@ tests:
object: samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml
assertions:
- violations: yes
+ - name: update
+ object: samples/psp-pods-allowed-user-ranges/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/users/template.yaml b/library/pod-security-policy/users/template.yaml
index 0d22f23bf..1e572443e 100644
--- a/library/pod-security-policy/users/template.yaml
+++ b/library/pod-security-policy/users/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspallowedusers
annotations:
metadata.gatekeeper.sh/title: "Allowed Users"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the user and group IDs of the container and some volumes.
Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and
@@ -135,9 +135,13 @@ spec:
rego: |
package k8spspallowedusers
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg}] {
+ # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable.
+ not is_update(input.review)
+
fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"]
field := fields[_]
container := input_containers[_]
@@ -260,6 +264,12 @@ spec:
c := input.review.object.spec.ephemeralContainers[_]
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
diff --git a/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml b/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml
new file mode 100644
index 000000000..f25f07267
--- /dev/null
+++ b/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml
@@ -0,0 +1,29 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-volume-types-disallowed
+ labels:
+ app: nginx-volume-types
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ - name: nginx2
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache2
+ name: demo-vol
+ volumes:
+ - name: cache-volume
+ hostPath:
+ path: /tmp # directory location on host
+ - name: demo-vol
+ emptyDir: {}
diff --git a/library/pod-security-policy/volumes/suite.yaml b/library/pod-security-policy/volumes/suite.yaml
index b8f91b5a4..083aad6eb 100644
--- a/library/pod-security-policy/volumes/suite.yaml
+++ b/library/pod-security-policy/volumes/suite.yaml
@@ -15,3 +15,7 @@ tests:
object: samples/psp-volume-types/example_allowed.yaml
assertions:
- violations: no
+ - name: update
+ object: samples/psp-volume-types/update.yaml
+ assertions:
+ - violations: no
diff --git a/library/pod-security-policy/volumes/template.yaml b/library/pod-security-policy/volumes/template.yaml
index 53f634632..458cb3178 100644
--- a/library/pod-security-policy/volumes/template.yaml
+++ b/library/pod-security-policy/volumes/template.yaml
@@ -4,7 +4,7 @@ metadata:
name: k8spspvolumetypes
annotations:
metadata.gatekeeper.sh/title: "Volume Types"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Restricts mountable volume types to those specified by the user.
Corresponds to the `volumes` field in a PodSecurityPolicy. For more
@@ -35,7 +35,12 @@ spec:
rego: |
package k8spspvolumetypes
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"}
field := volume_fields[_]
not input_volume_type_allowed(field)
@@ -50,3 +55,10 @@ spec:
input_volume_type_allowed(field) {
field == input.parameters.volumes[_]
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
diff --git a/src/general/automount-serviceaccount-token/constraint.tmpl b/src/general/automount-serviceaccount-token/constraint.tmpl
index b5fec0dd3..9b5a9531b 100644
--- a/src/general/automount-serviceaccount-token/constraint.tmpl
+++ b/src/general/automount-serviceaccount-token/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspautomountserviceaccounttokenpod
annotations:
metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the ability of any Pod to enable automountServiceAccountToken.
spec:
@@ -21,3 +21,6 @@ spec:
- target: admission.k8s.gatekeeper.sh
rego: |
{{ file.Read "src/general/automount-serviceaccount-token/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+ libs:
+ - |
+{{ file.Read "src/general/automount-serviceaccount-token/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/general/automount-serviceaccount-token/lib_exclude_update.rego b/src/general/automount-serviceaccount-token/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/general/automount-serviceaccount-token/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/general/automount-serviceaccount-token/src.rego b/src/general/automount-serviceaccount-token/src.rego
index 88fd1aec9..55f6f43a7 100644
--- a/src/general/automount-serviceaccount-token/src.rego
+++ b/src/general/automount-serviceaccount-token/src.rego
@@ -1,6 +1,11 @@
package k8sautomountserviceaccounttoken
+import data.lib.exclude_update.is_update
+
violation[{"msg": msg}] {
+ # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable.
+ not is_update(input.review)
+
obj := input.review.object
mountServiceAccountToken(obj.spec)
msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name])
diff --git a/src/general/automount-serviceaccount-token/src_test.rego b/src/general/automount-serviceaccount-token/src_test.rego
index 5c3075dec..ec2c75ea2 100644
--- a/src/general/automount-serviceaccount-token/src_test.rego
+++ b/src/general/automount-serviceaccount-token/src_test.rego
@@ -18,6 +18,12 @@ test_input_pod_automountserviceaccounttoken_not_defined {
count(results) > 0
}
+test_update {
+ input := {"review": object.union(input_review_enabled_automountserviceaccounttoken, {"operation": "UPDATE"})}
+ results := violation with input as input
+ count(results) == 0
+}
+
input_review_disabled_automountserviceaccounttoken = {"object": {
"metadata": {"name": "nginx"},
"spec": {
diff --git a/src/general/ephemeralstoragelimit/constraint.tmpl b/src/general/ephemeralstoragelimit/constraint.tmpl
index a97cbfef8..827b6bd52 100644
--- a/src/general/ephemeralstoragelimit/constraint.tmpl
+++ b/src/general/ephemeralstoragelimit/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8scontainerephemeralstoragelimit
annotations:
metadata.gatekeeper.sh/title: "Container ephemeral storage limit"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Requires containers to have an ephemeral storage limit set and constrains
the limit to be within the specified maximum values.
@@ -39,4 +39,6 @@ spec:
{{ file.Read "src/general/ephemeralstoragelimit/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
libs:
- |
+{{ file.Read "src/general/ephemeralstoragelimit/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
+ - |
{{ file.Read "src/general/ephemeralstoragelimit/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/general/ephemeralstoragelimit/lib_exclude_update.rego b/src/general/ephemeralstoragelimit/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/general/ephemeralstoragelimit/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/general/ephemeralstoragelimit/src.rego b/src/general/ephemeralstoragelimit/src.rego
index e42f048e5..88100fbf5 100644
--- a/src/general/ephemeralstoragelimit/src.rego
+++ b/src/general/ephemeralstoragelimit/src.rego
@@ -1,5 +1,6 @@
package k8scontainerephemeralstoragelimit
+import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
missing(obj, field) = true {
@@ -112,10 +113,14 @@ canonify_storage(orig) = new {
}
violation[{"msg": msg}] {
+ # spec.containers.resources.limits["ephemeral-storage"] field is immutable.
+ not is_update(input.review)
+
general_violation[{"msg": msg, "field": "containers"}]
}
violation[{"msg": msg}] {
+ not is_update(input.review)
general_violation[{"msg": msg, "field": "initContainers"}]
}
diff --git a/src/general/ephemeralstoragelimit/src_test.rego b/src/general/ephemeralstoragelimit/src_test.rego
index bcd4625b6..c2ede0c4d 100644
--- a/src/general/ephemeralstoragelimit/src_test.rego
+++ b/src/general/ephemeralstoragelimit/src_test.rego
@@ -147,6 +147,11 @@ test_input_violations_eph_Ei_with_exemption {
results := violation with input as input
count(results) == 0
}
+test_update {
+ input := {"review": object.union(review([ctr("a", 4096)]), {"operation": "UPDATE"}), "parameters": {"ephemeral-storage": "2048"}}
+ results := violation with input as input
+ count(results) == 0
+}
review(containers) = output {
output = {
diff --git a/src/general/requiredprobes/constraint.tmpl b/src/general/requiredprobes/constraint.tmpl
index 6b81857dc..7ebfbb77a 100644
--- a/src/general/requiredprobes/constraint.tmpl
+++ b/src/general/requiredprobes/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8srequiredprobes
annotations:
metadata.gatekeeper.sh/title: "Required Probes"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: Requires Pods to have readiness and/or liveness probes.
spec:
crd:
@@ -29,3 +29,6 @@ spec:
- target: admission.k8s.gatekeeper.sh
rego: |
{{ file.Read "src/general/requiredprobes/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+ libs:
+ - |
+{{ file.Read "src/general/requiredprobes/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/general/requiredprobes/lib_exclude_update.rego b/src/general/requiredprobes/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/general/requiredprobes/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/general/requiredprobes/src.rego b/src/general/requiredprobes/src.rego
index 532b036d7..b94ca6f2c 100644
--- a/src/general/requiredprobes/src.rego
+++ b/src/general/requiredprobes/src.rego
@@ -1,10 +1,15 @@
package k8srequiredprobes
+import data.lib.exclude_update.is_update
+
probe_type_set = probe_types {
probe_types := {type | type := input.parameters.probeTypes[_]}
}
violation[{"msg": msg}] {
+ # Probe fields are immutable.
+ not is_update(input.review)
+
container := input.review.object.spec.containers[_]
probe := input.parameters.probes[_]
probe_is_missing(container, probe)
diff --git a/src/general/requiredprobes/src_test.rego b/src/general/requiredprobes/src_test.rego
index a860b2e46..0ad2676e2 100644
--- a/src/general/requiredprobes/src_test.rego
+++ b/src/general/requiredprobes/src_test.rego
@@ -335,6 +335,14 @@ test_two_ctrs_empty_liveness_in_ctr_two_both_empty_probes_in_ctr_one {
count(results) == 3
}
+test_update {
+ kind := kinds[_]
+ input := {"review": object.union(review([{"name": "my-container","image": "my-image:latest", "livenessProbe": {"tcpSocket": {"port":80}}}]), {"operation": "UPDATE"}),
+ "parameters": parameters}
+ results := violation with input as input
+ count(results) == 0
+}
+
review(containers) = obj {
obj = {
"kind": {
diff --git a/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl b/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl
index 3c6abdfe3..e5f6f323f 100644
--- a/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl
+++ b/src/pod-security-policy/allow-privilege-escalation/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspallowprivilegeescalationcontainer
annotations:
metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls restricting escalation to root privileges. Corresponds to the
`allowPrivilegeEscalation` field in a PodSecurityPolicy. For more
@@ -40,4 +40,6 @@ spec:
{{ file.Read "src/pod-security-policy/allow-privilege-escalation/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
libs:
- |
+{{ file.Read "src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
+ - |
{{ file.Read "src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/allow-privilege-escalation/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/allow-privilege-escalation/src.rego b/src/pod-security-policy/allow-privilege-escalation/src.rego
index 7c16226c1..7c9d74bc1 100644
--- a/src/pod-security-policy/allow-privilege-escalation/src.rego
+++ b/src/pod-security-policy/allow-privilege-escalation/src.rego
@@ -1,8 +1,12 @@
package k8spspallowprivilegeescalationcontainer
+import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.allowPrivilegeEscalation field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
input_allow_privilege_escalation(c)
diff --git a/src/pod-security-policy/allow-privilege-escalation/src_test.rego b/src/pod-security-policy/allow-privilege-escalation/src_test.rego
index bd3fa88e7..a8e380d1f 100644
--- a/src/pod-security-policy/allow-privilege-escalation/src_test.rego
+++ b/src/pod-security-policy/allow-privilege-escalation/src_test.rego
@@ -40,6 +40,11 @@ test_input_container_many_mixed_privilege_escalation_not_allowed_two {
results := violation with input as input
count(results) == 2
}
+test_update {
+ input := { "review": object.union(input_review_priv, {"operation": "UPDATE"})}
+ results := violation with input as input
+ count(results) == 0
+}
input_review = {
"object": {
diff --git a/src/pod-security-policy/capabilities/constraint.tmpl b/src/pod-security-policy/capabilities/constraint.tmpl
index a7220f46c..88bd9e262 100644
--- a/src/pod-security-policy/capabilities/constraint.tmpl
+++ b/src/pod-security-policy/capabilities/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspcapabilities
annotations:
metadata.gatekeeper.sh/title: "Capabilities"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls Linux capabilities on containers. Corresponds to the
`allowedCapabilities` and `requiredDropCapabilities` fields in a
@@ -51,4 +51,6 @@ spec:
{{ file.Read "src/pod-security-policy/capabilities/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
libs:
- |
+{{ file.Read "src/pod-security-policy/capabilities/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
+ - |
{{ file.Read "src/pod-security-policy/capabilities/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/capabilities/lib_exclude_update.rego b/src/pod-security-policy/capabilities/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/capabilities/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/capabilities/src.rego b/src/pod-security-policy/capabilities/src.rego
index 95e4fb529..b60b26a3f 100644
--- a/src/pod-security-policy/capabilities/src.rego
+++ b/src/pod-security-policy/capabilities/src.rego
@@ -1,8 +1,12 @@
package capabilities
+import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg}] {
+ # spec.containers.securityContext.capabilities field is immutable.
+ not is_update(input.review)
+
container := input.review.object.spec.containers[_]
not is_exempt(container)
has_disallowed_capabilities(container)
@@ -10,6 +14,7 @@ violation[{"msg": msg}] {
}
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.containers[_]
not is_exempt(container)
missing_drop_capabilities(container)
@@ -19,6 +24,7 @@ violation[{"msg": msg}] {
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.initContainers[_]
not is_exempt(container)
has_disallowed_capabilities(container)
@@ -26,6 +32,7 @@ violation[{"msg": msg}] {
}
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.initContainers[_]
not is_exempt(container)
missing_drop_capabilities(container)
@@ -35,6 +42,7 @@ violation[{"msg": msg}] {
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.ephemeralContainers[_]
not is_exempt(container)
has_disallowed_capabilities(container)
@@ -42,6 +50,7 @@ violation[{"msg": msg}] {
}
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.ephemeralContainers[_]
not is_exempt(container)
missing_drop_capabilities(container)
diff --git a/src/pod-security-policy/capabilities/src_test.rego b/src/pod-security-policy/capabilities/src_test.rego
index 4de431a5d..6158a3eea 100644
--- a/src/pod-security-policy/capabilities/src_test.rego
+++ b/src/pod-security-policy/capabilities/src_test.rego
@@ -134,6 +134,12 @@ test_input_drop_literal_all_x2 {
count(results) == 0
}
+test_update {
+ input := { "review": object.union(input_review([cadd(["one"])]), {"operation": "UPDATE"}), "parameters": {"allowedCapabilities": []}}
+ results := violation with input as input
+ count(results) == 0
+}
+
# init containers
test_input_all_allowed {
input := { "review": input_init_review([cadd(["one", "two"])]), "parameters": {"allowedCapabilities": ["*"]}}
diff --git a/src/pod-security-policy/flexvolume-drivers/constraint.tmpl b/src/pod-security-policy/flexvolume-drivers/constraint.tmpl
index 609f4c3aa..e0a7b51df 100644
--- a/src/pod-security-policy/flexvolume-drivers/constraint.tmpl
+++ b/src/pod-security-policy/flexvolume-drivers/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspflexvolumes
annotations:
metadata.gatekeeper.sh/title: "FlexVolumes"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the allowlist of FlexVolume drivers. Corresponds to the
`allowedFlexVolumes` field in PodSecurityPolicy. For more information,
@@ -38,3 +38,6 @@ spec:
- target: admission.k8s.gatekeeper.sh
rego: |
{{ file.Read "src/pod-security-policy/flexvolume-drivers/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+ libs:
+ - |
+{{ file.Read "src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/flexvolume-drivers/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/flexvolume-drivers/src.rego b/src/pod-security-policy/flexvolume-drivers/src.rego
index b729e221b..1d42653c1 100644
--- a/src/pod-security-policy/flexvolume-drivers/src.rego
+++ b/src/pod-security-policy/flexvolume-drivers/src.rego
@@ -1,6 +1,11 @@
package k8spspflexvolumes
+import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
volume := input_flexvolumes[_]
not input_flexvolumes_allowed(volume)
msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes])
diff --git a/src/pod-security-policy/flexvolume-drivers/src_test.rego b/src/pod-security-policy/flexvolume-drivers/src_test.rego
index 590ee49a0..3b8eb69be 100644
--- a/src/pod-security-policy/flexvolume-drivers/src_test.rego
+++ b/src/pod-security-policy/flexvolume-drivers/src_test.rego
@@ -54,6 +54,12 @@ test_input_flexvolume_many_mixed_allowed {
count(results) == 1
}
+test_update {
+ input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_empty}
+ results := violation with input as input
+ count(results) == 0
+}
+
input_review = {
"object": {
"metadata": {
diff --git a/src/pod-security-policy/forbidden-sysctls/constraint.tmpl b/src/pod-security-policy/forbidden-sysctls/constraint.tmpl
index 97c294a70..91cecf030 100644
--- a/src/pod-security-policy/forbidden-sysctls/constraint.tmpl
+++ b/src/pod-security-policy/forbidden-sysctls/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspforbiddensysctls
annotations:
metadata.gatekeeper.sh/title: "Forbidden Sysctls"
- metadata.gatekeeper.sh/version: 1.1.1
+ metadata.gatekeeper.sh/version: 1.1.2
description: >-
Controls the `sysctl` profile used by containers. Corresponds to the
`allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy.
@@ -41,3 +41,6 @@ spec:
- target: admission.k8s.gatekeeper.sh
rego: |
{{ file.Read "src/pod-security-policy/forbidden-sysctls/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+ libs:
+ - |
+{{ file.Read "src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/forbidden-sysctls/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/forbidden-sysctls/src.rego b/src/pod-security-policy/forbidden-sysctls/src.rego
index 5675fc95c..359dd44c7 100644
--- a/src/pod-security-policy/forbidden-sysctls/src.rego
+++ b/src/pod-security-policy/forbidden-sysctls/src.rego
@@ -1,7 +1,12 @@
package k8spspforbiddensysctls
+import data.lib.exclude_update.is_update
+
# Block if forbidden
violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.sysctls field is immutable.
+ not is_update(input.review)
+
sysctl := input.review.object.spec.securityContext.sysctls[_].name
forbidden_sysctl(sysctl)
msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls])
@@ -9,6 +14,7 @@ violation[{"msg": msg, "details": {}}] {
# Block if not explicitly allowed
violation[{"msg": msg, "details": {}}] {
+ not is_update(input.review)
sysctl := input.review.object.spec.securityContext.sysctls[_].name
not allowed_sysctl(sysctl)
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
diff --git a/src/pod-security-policy/forbidden-sysctls/src_test.rego b/src/pod-security-policy/forbidden-sysctls/src_test.rego
index 5a299028d..d2bd78027 100644
--- a/src/pod-security-policy/forbidden-sysctls/src_test.rego
+++ b/src/pod-security-policy/forbidden-sysctls/src_test.rego
@@ -153,6 +153,12 @@ test_input_sysctls_allowed_and_forbidden {
count(results) == 2
}
+test_update {
+ input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_wildcard}
+ results := violation with input as input
+ count(results) == 0
+}
+
input_review = {
"object": {
"metadata": {
diff --git a/src/pod-security-policy/fsgroup/constraint.tmpl b/src/pod-security-policy/fsgroup/constraint.tmpl
index 259927c9f..34a8b2a99 100644
--- a/src/pod-security-policy/fsgroup/constraint.tmpl
+++ b/src/pod-security-policy/fsgroup/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspfsgroup
annotations:
metadata.gatekeeper.sh/title: "FS Group"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls allocating an FSGroup that owns the Pod's volumes. Corresponds
to the `fsGroup` field in a PodSecurityPolicy. For more information, see
@@ -46,3 +46,6 @@ spec:
- target: admission.k8s.gatekeeper.sh
rego: |
{{ file.Read "src/pod-security-policy/fsgroup/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+ libs:
+ - |
+{{ file.Read "src/pod-security-policy/fsgroup/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/fsgroup/lib_exclude_update.rego b/src/pod-security-policy/fsgroup/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/fsgroup/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/fsgroup/src.rego b/src/pod-security-policy/fsgroup/src.rego
index 021e7c561..23690a0de 100644
--- a/src/pod-security-policy/fsgroup/src.rego
+++ b/src/pod-security-policy/fsgroup/src.rego
@@ -1,6 +1,11 @@
package k8spspfsgroup
+import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.fsGroup field is immutable.
+ not is_update(input.review)
+
spec := input.review.object.spec
not input_fsGroup_allowed(spec)
msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters])
diff --git a/src/pod-security-policy/fsgroup/src_test.rego b/src/pod-security-policy/fsgroup/src_test.rego
index ca3c1910f..51fcf59f7 100644
--- a/src/pod-security-policy/fsgroup/src_test.rego
+++ b/src/pod-security-policy/fsgroup/src_test.rego
@@ -50,6 +50,11 @@ test_input_securitycontext_no_fsgroup_MayRunAs_allowed {
results := violation with input as input
count(results) == 0
}
+test_update {
+ input := { "review": object.union(input_review_with_fsgroup, {"operation": "UPDATE"}), "parameters": input_parameters_in_list_mustrunas_outofrange}
+ results := violation with input as input
+ count(results) == 0
+}
input_review = {
"object": {
diff --git a/src/pod-security-policy/host-filesystem/constraint.tmpl b/src/pod-security-policy/host-filesystem/constraint.tmpl
index 24dd21682..39af451e1 100644
--- a/src/pod-security-policy/host-filesystem/constraint.tmpl
+++ b/src/pod-security-policy/host-filesystem/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spsphostfilesystem
annotations:
metadata.gatekeeper.sh/title: "Host Filesystem"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls usage of the host filesystem. Corresponds to the
`allowedHostPaths` field in a PodSecurityPolicy. For more information,
@@ -41,3 +41,6 @@ spec:
- target: admission.k8s.gatekeeper.sh
rego: |
{{ file.Read "src/pod-security-policy/host-filesystem/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+ libs:
+ - |
+{{ file.Read "src/pod-security-policy/host-filesystem/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/host-filesystem/lib_exclude_update.rego b/src/pod-security-policy/host-filesystem/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/host-filesystem/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/host-filesystem/src.rego b/src/pod-security-policy/host-filesystem/src.rego
index 3e5ab3b8d..53b140816 100644
--- a/src/pod-security-policy/host-filesystem/src.rego
+++ b/src/pod-security-policy/host-filesystem/src.rego
@@ -1,6 +1,11 @@
package k8spsphostfilesystem
+import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
volume := input_hostpath_volumes[_]
allowedPaths := get_allowed_paths(input)
input_hostpath_violation(allowedPaths, volume)
diff --git a/src/pod-security-policy/host-filesystem/src_test.rego b/src/pod-security-policy/host-filesystem/src_test.rego
index 764f1c6bf..1e85733c3 100644
--- a/src/pod-security-policy/host-filesystem/src_test.rego
+++ b/src/pod-security-policy/host-filesystem/src_test.rego
@@ -105,6 +105,11 @@ test_input_hostpath_allowed_mixed_writable_mixed_parameters {
results := violation with input as input
count(results) == 0
}
+test_update {
+ input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_empty}
+ results := violation with input as input
+ count(results) == 0
+}
# Init Containers
diff --git a/src/pod-security-policy/host-namespaces/constraint.tmpl b/src/pod-security-policy/host-namespaces/constraint.tmpl
index 330e67ee9..7ee044381 100644
--- a/src/pod-security-policy/host-namespaces/constraint.tmpl
+++ b/src/pod-security-policy/host-namespaces/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spsphostnamespace
annotations:
metadata.gatekeeper.sh/title: "Host Namespace"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Disallows sharing of host PID and IPC namespaces by pod containers.
Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
@@ -28,3 +28,6 @@ spec:
- target: admission.k8s.gatekeeper.sh
rego: |
{{ file.Read "src/pod-security-policy/host-namespaces/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+ libs:
+ - |
+{{ file.Read "src/pod-security-policy/host-namespaces/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/host-namespaces/lib_exclude_update.rego b/src/pod-security-policy/host-namespaces/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/host-namespaces/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/host-namespaces/src.rego b/src/pod-security-policy/host-namespaces/src.rego
index 3f6012fe3..af50c1cb8 100644
--- a/src/pod-security-policy/host-namespaces/src.rego
+++ b/src/pod-security-policy/host-namespaces/src.rego
@@ -1,6 +1,11 @@
package k8spsphostnamespace
+import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.hostPID and spec.hostIPC fields are immutable.
+ not is_update(input.review)
+
input_share_hostnamespace(input.review.object)
msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
}
diff --git a/src/pod-security-policy/host-namespaces/src_test.rego b/src/pod-security-policy/host-namespaces/src_test.rego
index dab022864..f5c13e774 100644
--- a/src/pod-security-policy/host-namespaces/src_test.rego
+++ b/src/pod-security-policy/host-namespaces/src_test.rego
@@ -20,6 +20,11 @@ test_input_hostnamespace_both_not_allowed {
results := violation with input as input
count(results) > 0
}
+test_update {
+ input := { "review": object.union(input_review_hostPID, {"operation": "UPDATE"})}
+ results := violation with input as input
+ count(results) == 0
+}
input_review = {
"object": {
diff --git a/src/pod-security-policy/host-network-ports/constraint.tmpl b/src/pod-security-policy/host-network-ports/constraint.tmpl
index 9d32025e8..abf6653c0 100644
--- a/src/pod-security-policy/host-network-ports/constraint.tmpl
+++ b/src/pod-security-policy/host-network-ports/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spsphostnetworkingports
annotations:
metadata.gatekeeper.sh/title: "Host Networking Ports"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls usage of host network namespace by pod containers. Specific
ports must be specified. Corresponds to the `hostNetwork` and
@@ -50,4 +50,6 @@ spec:
{{ file.Read "src/pod-security-policy/host-network-ports/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
libs:
- |
+{{ file.Read "src/pod-security-policy/host-network-ports/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
+ - |
{{ file.Read "src/pod-security-policy/host-network-ports/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/host-network-ports/lib_exclude_update.rego b/src/pod-security-policy/host-network-ports/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/host-network-ports/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/host-network-ports/src.rego b/src/pod-security-policy/host-network-ports/src.rego
index bc5b5b0e7..1038815c8 100644
--- a/src/pod-security-policy/host-network-ports/src.rego
+++ b/src/pod-security-policy/host-network-ports/src.rego
@@ -1,8 +1,12 @@
package k8spsphostnetworkingports
+import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.hostNetwork field is immutable.
+ not is_update(input.review)
+
input_share_hostnetwork(input.review.object)
msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters])
}
diff --git a/src/pod-security-policy/host-network-ports/src_test.rego b/src/pod-security-policy/host-network-ports/src_test.rego
index b467c6aa3..0e54e11d4 100644
--- a/src/pod-security-policy/host-network-ports/src_test.rego
+++ b/src/pod-security-policy/host-network-ports/src_test.rego
@@ -41,6 +41,11 @@ test_input_with_hostnetwork_container_ports_not_allowed_but_exempt {
trace(sprintf("%v", [results]))
count(results) == 0
}
+test_update {
+ input := { "review": object.union(input_review_no_hostnetwork_container_ports_outofrange, {"operation": "UPDATE"}), "parameters": input_parameters_ports}
+ results := violation with input as input
+ count(results) == 0
+}
input_review = {
"object": {
diff --git a/src/pod-security-policy/privileged-containers/constraint.tmpl b/src/pod-security-policy/privileged-containers/constraint.tmpl
index 4090b8541..90a195925 100644
--- a/src/pod-security-policy/privileged-containers/constraint.tmpl
+++ b/src/pod-security-policy/privileged-containers/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspprivilegedcontainer
annotations:
metadata.gatekeeper.sh/title: "Privileged Container"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
@@ -40,4 +40,6 @@ spec:
{{ file.Read "src/pod-security-policy/privileged-containers/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
libs:
- |
+{{ file.Read "src/pod-security-policy/privileged-containers/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
+ - |
{{ file.Read "src/pod-security-policy/privileged-containers/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/privileged-containers/lib_exclude_update.rego b/src/pod-security-policy/privileged-containers/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/privileged-containers/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/privileged-containers/src.rego b/src/pod-security-policy/privileged-containers/src.rego
index facc61eff..a789e96da 100644
--- a/src/pod-security-policy/privileged-containers/src.rego
+++ b/src/pod-security-policy/privileged-containers/src.rego
@@ -1,8 +1,12 @@
package k8spspprivileged
+import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.privileged field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
c.securityContext.privileged
diff --git a/src/pod-security-policy/privileged-containers/src_test.rego b/src/pod-security-policy/privileged-containers/src_test.rego
index 0e25bd07d..4c1a462a2 100644
--- a/src/pod-security-policy/privileged-containers/src_test.rego
+++ b/src/pod-security-policy/privileged-containers/src_test.rego
@@ -30,6 +30,11 @@ test_input_container_many_mixed_privileged_not_allowed_two_but_exempt {
results := violation with input as input
count(results) == 0
}
+test_update {
+ input := { "review": object.union(input_review_priv, {"operation": "UPDATE"})}
+ results := violation with input as input
+ count(results) == 0
+}
input_review = {
"object": {
diff --git a/src/pod-security-policy/proc-mount/constraint.tmpl b/src/pod-security-policy/proc-mount/constraint.tmpl
index 195313b1c..b06f815b6 100644
--- a/src/pod-security-policy/proc-mount/constraint.tmpl
+++ b/src/pod-security-policy/proc-mount/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspprocmount
annotations:
metadata.gatekeeper.sh/title: "Proc Mount"
- metadata.gatekeeper.sh/version: 1.0.1
+ metadata.gatekeeper.sh/version: 1.0.2
description: >-
Controls the allowed `procMount` types for the container. Corresponds to
the `allowedProcMountTypes` field in a PodSecurityPolicy. For more
@@ -51,4 +51,6 @@ spec:
{{ file.Read "src/pod-security-policy/proc-mount/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
libs:
- |
+{{ file.Read "src/pod-security-policy/proc-mount/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
+ - |
{{ file.Read "src/pod-security-policy/proc-mount/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/proc-mount/lib_exclude_update.rego b/src/pod-security-policy/proc-mount/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/proc-mount/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/proc-mount/src.rego b/src/pod-security-policy/proc-mount/src.rego
index f6520441d..cf501c8bd 100644
--- a/src/pod-security-policy/proc-mount/src.rego
+++ b/src/pod-security-policy/proc-mount/src.rego
@@ -1,8 +1,12 @@
package k8spspprocmount
+import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.procMount field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
allowedProcMount := get_allowed_proc_mount(input)
diff --git a/src/pod-security-policy/proc-mount/src_test.rego b/src/pod-security-policy/proc-mount/src_test.rego
index 4488109c1..32452d8fb 100644
--- a/src/pod-security-policy/proc-mount/src_test.rego
+++ b/src/pod-security-policy/proc-mount/src_test.rego
@@ -65,6 +65,11 @@ test_input_container_many_mixed_proc_mount_allowed_two {
results := violation with input as input
count(results) == 0
}
+test_update {
+ input := { "review": object.union(input_review_unmasked, {"operation": "UPDATE"}), "parameters": input_parameters_default}
+ results := violation with input as input
+ count(results) == 0
+}
input_review = {
"object": {
diff --git a/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl b/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl
index 3d1a4f7c4..3fa6e0607 100644
--- a/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl
+++ b/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspreadonlyrootfilesystem
annotations:
metadata.gatekeeper.sh/title: "Read Only Root Filesystem"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Requires the use of a read-only root file system by pod containers.
Corresponds to the `readOnlyRootFilesystem` field in a
@@ -41,4 +41,6 @@ spec:
{{ file.Read "src/pod-security-policy/read-only-root-filesystem/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
libs:
- |
+{{ file.Read "src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
+ - |
{{ file.Read "src/pod-security-policy/read-only-root-filesystem/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/read-only-root-filesystem/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/read-only-root-filesystem/src.rego b/src/pod-security-policy/read-only-root-filesystem/src.rego
index 084051e6b..3d15390f0 100644
--- a/src/pod-security-policy/read-only-root-filesystem/src.rego
+++ b/src/pod-security-policy/read-only-root-filesystem/src.rego
@@ -1,8 +1,12 @@
package k8spspreadonlyrootfilesystem
+import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.readOnlyRootFilesystem field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
input_read_only_root_fs(c)
diff --git a/src/pod-security-policy/read-only-root-filesystem/src_test.rego b/src/pod-security-policy/read-only-root-filesystem/src_test.rego
index da3baf3e4..348613859 100644
--- a/src/pod-security-policy/read-only-root-filesystem/src_test.rego
+++ b/src/pod-security-policy/read-only-root-filesystem/src_test.rego
@@ -25,6 +25,11 @@ test_input_container_many_mixed_readonlyrootfilesystem_not_allowed_two_but_exemp
results := violation with input as input
count(results) == 0
}
+test_update {
+ input := { "review": object.union(input_review, {"operation": "UPDATE"})}
+ results := violation with input as input
+ count(results) == 0
+}
input_review = {
"object": {
diff --git a/src/pod-security-policy/selinux/constraint.tmpl b/src/pod-security-policy/selinux/constraint.tmpl
index 4817a5c6e..051b9c694 100644
--- a/src/pod-security-policy/selinux/constraint.tmpl
+++ b/src/pod-security-policy/selinux/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspselinuxv2
annotations:
metadata.gatekeeper.sh/title: "SELinux V2"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Defines an allow-list of seLinuxOptions configurations for pod
containers. Corresponds to a PodSecurityPolicy requiring SELinux configs.
@@ -60,4 +60,6 @@ spec:
{{ file.Read "src/pod-security-policy/selinux/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
libs:
- |
+{{ file.Read "src/pod-security-policy/selinux/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
+ - |
{{ file.Read "src/pod-security-policy/selinux/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/selinux/lib_exclude_update.rego b/src/pod-security-policy/selinux/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/selinux/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/selinux/src.rego b/src/pod-security-policy/selinux/src.rego
index b9e98ede6..f11ededb9 100644
--- a/src/pod-security-policy/selinux/src.rego
+++ b/src/pod-security-policy/selinux/src.rego
@@ -1,15 +1,22 @@
package k8spspselinux
+import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
# Disallow top level custom SELinux options
violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.seLinuxOptions field is immutable.
+ not is_update(input.review)
+
has_field(input.review.object.spec.securityContext, "seLinuxOptions")
not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions)
msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions])
}
# Disallow container level custom SELinux options
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.seLinuxOptions field is immutable.
+ not is_update(input.review)
+
c := input_security_context[_]
not is_exempt(c)
has_field(c.securityContext, "seLinuxOptions")
diff --git a/src/pod-security-policy/selinux/src_test.rego b/src/pod-security-policy/selinux/src_test.rego
index eb9aa218b..8d796e8c7 100644
--- a/src/pod-security-policy/selinux/src_test.rego
+++ b/src/pod-security-policy/selinux/src_test.rego
@@ -133,6 +133,11 @@ test_input_seLinux_options_many_not_allowed_not_in_list_double_seccontext {
count(results) == 3
}
+test_input_seLinux_options_update {
+ input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_in_list_subset}
+ results := violation with input as input
+ count(results) == 0
+}
input_review = {
"object": {
diff --git a/src/pod-security-policy/users/constraint.tmpl b/src/pod-security-policy/users/constraint.tmpl
index 11a7728fe..2c503e343 100644
--- a/src/pod-security-policy/users/constraint.tmpl
+++ b/src/pod-security-policy/users/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspallowedusers
annotations:
metadata.gatekeeper.sh/title: "Allowed Users"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the user and group IDs of the container and some volumes.
Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and
@@ -136,4 +136,6 @@ spec:
{{ file.Read "src/pod-security-policy/users/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
libs:
- |
+{{ file.Read "src/pod-security-policy/users/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
+ - |
{{ file.Read "src/pod-security-policy/users/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/users/lib_exclude_update.rego b/src/pod-security-policy/users/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/users/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/users/src.rego b/src/pod-security-policy/users/src.rego
index 6f0b4f4d0..4d28bafd2 100644
--- a/src/pod-security-policy/users/src.rego
+++ b/src/pod-security-policy/users/src.rego
@@ -1,8 +1,12 @@
package k8spspallowedusers
+import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg}] {
+ # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable.
+ not is_update(input.review)
+
fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"]
field := fields[_]
container := input_containers[_]
diff --git a/src/pod-security-policy/users/src_test.rego b/src/pod-security-policy/users/src_test.rego
index 1fbb9ecc3..6e5979c87 100644
--- a/src/pod-security-policy/users/src_test.rego
+++ b/src/pod-security-policy/users/src_test.rego
@@ -812,8 +812,11 @@ test_mixed_container_level_all_defined_mixed_in_range_mixed_rules {
count(results) == 1
}
-
-
+test_update {
+ input := {"review": object.union(review(null, [ctr("cont1", run_as_rule(150, 150, null, null))], null), {"operation": "UPDATE"}), "parameters": mixed_all_rules }
+ results := violation with input as input
+ count(results) == 0
+}
## Functions ##
diff --git a/src/pod-security-policy/volumes/constraint.tmpl b/src/pod-security-policy/volumes/constraint.tmpl
index 179800603..40f87e2c3 100644
--- a/src/pod-security-policy/volumes/constraint.tmpl
+++ b/src/pod-security-policy/volumes/constraint.tmpl
@@ -4,7 +4,7 @@ metadata:
name: k8spspvolumetypes
annotations:
metadata.gatekeeper.sh/title: "Volume Types"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Restricts mountable volume types to those specified by the user.
Corresponds to the `volumes` field in a PodSecurityPolicy. For more
@@ -34,3 +34,6 @@ spec:
- target: admission.k8s.gatekeeper.sh
rego: |
{{ file.Read "src/pod-security-policy/volumes/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+ libs:
+ - |
+{{ file.Read "src/pod-security-policy/volumes/lib_exclude_update.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }}
diff --git a/src/pod-security-policy/volumes/lib_exclude_update.rego b/src/pod-security-policy/volumes/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/pod-security-policy/volumes/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/pod-security-policy/volumes/src.rego b/src/pod-security-policy/volumes/src.rego
index 00f9d8814..2d10ecf3e 100644
--- a/src/pod-security-policy/volumes/src.rego
+++ b/src/pod-security-policy/volumes/src.rego
@@ -1,6 +1,11 @@
package k8spspvolumetypes
+import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"}
field := volume_fields[_]
not input_volume_type_allowed(field)
diff --git a/src/pod-security-policy/volumes/src_test.rego b/src/pod-security-policy/volumes/src_test.rego
index 81ba9effd..841e79bf8 100644
--- a/src/pod-security-policy/volumes/src_test.rego
+++ b/src/pod-security-policy/volumes/src_test.rego
@@ -67,6 +67,12 @@ test_input_volume_type_allowed_in_list_many_volumes_mixed {
count(results) == 1
}
+test_input_volume_type_update {
+ input := { "review": object.union(input_review, {"operation": "UPDATE"}), "parameters": input_parameters_empty}
+ results := violation with input as input
+ count(results) == 0
+}
+
input_review = {
"object": {
"metadata": {
diff --git a/src/rego/lib_exclude_update/lib_exclude_update.rego b/src/rego/lib_exclude_update/lib_exclude_update.rego
new file mode 100644
index 000000000..96433d78a
--- /dev/null
+++ b/src/rego/lib_exclude_update/lib_exclude_update.rego
@@ -0,0 +1,5 @@
+package lib.exclude_update
+
+is_update(review) {
+ review.operation == "UPDATE"
+}
diff --git a/src/rego/lib_exclude_update/lib_exclude_update_test.rego b/src/rego/lib_exclude_update/lib_exclude_update_test.rego
new file mode 100644
index 000000000..82d642756
--- /dev/null
+++ b/src/rego/lib_exclude_update/lib_exclude_update_test.rego
@@ -0,0 +1,13 @@
+package lib.exclude_update
+
+test_update {
+ is_update({"operation": "UPDATE"})
+}
+
+test_create {
+ not is_update({"operation": "CREATE"})
+}
+
+test_empty {
+ not is_update({"operation": ""})
+}
diff --git a/website/docs/validation/allow-privilege-escalation.md b/website/docs/validation/allow-privilege-escalation.md
index 8645cdaa8..765425505 100644
--- a/website/docs/validation/allow-privilege-escalation.md
+++ b/website/docs/validation/allow-privilege-escalation.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspallowprivilegeescalationcontainer
annotations:
metadata.gatekeeper.sh/title: "Allow Privilege Escalation in Container"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls restricting escalation to root privileges. Corresponds to the
`allowPrivilegeEscalation` field in a PodSecurityPolicy. For more
@@ -51,9 +51,13 @@ spec:
rego: |
package k8spspallowprivilegeescalationcontainer
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.allowPrivilegeEscalation field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
input_allow_privilege_escalation(c)
@@ -80,6 +84,12 @@ spec:
object[field]
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
@@ -212,6 +222,37 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-privilege-escalation-disallowed
+ labels:
+ app: nginx-privilege-escalation
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ allowPrivilegeEscalation: true
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml
+```
+
diff --git a/website/docs/validation/automount-serviceaccount-token.md b/website/docs/validation/automount-serviceaccount-token.md
index 7dddd7477..9876ba1aa 100644
--- a/website/docs/validation/automount-serviceaccount-token.md
+++ b/website/docs/validation/automount-serviceaccount-token.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspautomountserviceaccounttokenpod
annotations:
metadata.gatekeeper.sh/title: "Automount Service Account Token for Pod"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the ability of any Pod to enable automountServiceAccountToken.
spec:
@@ -34,7 +34,12 @@ spec:
rego: |
package k8sautomountserviceaccounttoken
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg}] {
+ # spec.automountServiceAccountToken and spec.containers.volumeMounts fields are immutable.
+ not is_update(input.review)
+
obj := input.review.object
mountServiceAccountToken(obj.spec)
msg := sprintf("Automounting service account token is disallowed, pod: %v", [obj.metadata.name])
@@ -64,6 +69,13 @@ spec:
has_key(x, k) {
_ = x[k]
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
```
@@ -149,6 +161,36 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/example_disallowed.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-automountserviceaccounttoken-update
+ labels:
+ app: nginx-automountserviceaccounttoken
+ spec:
+ automountServiceAccountToken: true
+ containers:
+ - name: nginx
+ image: nginx
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml
+```
+
diff --git a/website/docs/validation/capabilities.md b/website/docs/validation/capabilities.md
index e717bccca..bb6d86f4d 100644
--- a/website/docs/validation/capabilities.md
+++ b/website/docs/validation/capabilities.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspcapabilities
annotations:
metadata.gatekeeper.sh/title: "Capabilities"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls Linux capabilities on containers. Corresponds to the
`allowedCapabilities` and `requiredDropCapabilities` fields in a
@@ -62,9 +62,13 @@ spec:
rego: |
package capabilities
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg}] {
+ # spec.containers.securityContext.capabilities field is immutable.
+ not is_update(input.review)
+
container := input.review.object.spec.containers[_]
not is_exempt(container)
has_disallowed_capabilities(container)
@@ -72,6 +76,7 @@ spec:
}
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.containers[_]
not is_exempt(container)
missing_drop_capabilities(container)
@@ -81,6 +86,7 @@ spec:
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.initContainers[_]
not is_exempt(container)
has_disallowed_capabilities(container)
@@ -88,6 +94,7 @@ spec:
}
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.initContainers[_]
not is_exempt(container)
missing_drop_capabilities(container)
@@ -97,6 +104,7 @@ spec:
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.ephemeralContainers[_]
not is_exempt(container)
has_disallowed_capabilities(container)
@@ -104,6 +112,7 @@ spec:
}
violation[{"msg": msg}] {
+ not is_update(input.review)
container := input.review.object.spec.ephemeralContainers[_]
not is_exempt(container)
missing_drop_capabilities(container)
@@ -138,6 +147,12 @@ spec:
out = _default
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
@@ -302,6 +317,46 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/samples/capabilities-demo/disallowed_ephemeral.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: opa-disallowed
+ labels:
+ owner: me.agilebank.demo
+ spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ securityContext:
+ capabilities:
+ add: ["disallowedcapability"]
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "30Mi"
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml
+```
+
diff --git a/website/docs/validation/ephemeralstoragelimit.md b/website/docs/validation/ephemeralstoragelimit.md
index 1042c4fcb..83e219488 100644
--- a/website/docs/validation/ephemeralstoragelimit.md
+++ b/website/docs/validation/ephemeralstoragelimit.md
@@ -17,7 +17,7 @@ metadata:
name: k8scontainerephemeralstoragelimit
annotations:
metadata.gatekeeper.sh/title: "Container ephemeral storage limit"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Requires containers to have an ephemeral storage limit set and constrains
the limit to be within the specified maximum values.
@@ -51,6 +51,7 @@ spec:
rego: |
package k8scontainerephemeralstoragelimit
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
missing(obj, field) = true {
@@ -163,10 +164,14 @@ spec:
}
violation[{"msg": msg}] {
+ # spec.containers.resources.limits["ephemeral-storage"] field is immutable.
+ not is_update(input.review)
+
general_violation[{"msg": msg, "field": "containers"}]
}
violation[{"msg": msg}] {
+ not is_update(input.review)
general_violation[{"msg": msg, "field": "initContainers"}]
}
@@ -212,6 +217,12 @@ spec:
msg := sprintf("container <%v> ephemeral-storage limit <%v> is higher than the maximum allowed of <%v>", [container.name, storage_orig, max_storage_orig])
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
@@ -460,6 +471,44 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
```
+
+
+ephemeral-storage-limit-update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: opa-allowed
+ labels:
+ owner: me.agilebank.demo
+ spec:
+ containers:
+ - name: opa
+ image: openpolicyagent/opa:0.9.2
+ args:
+ - "run"
+ - "--server"
+ - "--addr=localhost:8080"
+ resources:
+ limits:
+ cpu: "100m"
+ memory: "1Gi"
+ ephemeral-storage: "1Pi"
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml
+```
+
diff --git a/website/docs/validation/flexvolume-drivers.md b/website/docs/validation/flexvolume-drivers.md
index 3049852ab..04d28cec3 100644
--- a/website/docs/validation/flexvolume-drivers.md
+++ b/website/docs/validation/flexvolume-drivers.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspflexvolumes
annotations:
metadata.gatekeeper.sh/title: "FlexVolumes"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the allowlist of FlexVolume drivers. Corresponds to the
`allowedFlexVolumes` field in PodSecurityPolicy. For more information,
@@ -51,7 +51,12 @@ spec:
rego: |
package k8spspflexvolumes
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
volume := input_flexvolumes[_]
not input_flexvolumes_allowed(volume)
msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes])
@@ -70,6 +75,13 @@ spec:
has_field(object, field) = true {
object[field]
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
```
@@ -172,6 +184,43 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/example_disallowed.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-flexvolume-driver-disallowed
+ labels:
+ app: nginx-flexvolume-driver
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /test
+ name: test-volume
+ readOnly: true
+ volumes:
+ - name: test-volume
+ flexVolume:
+ driver: "example/testdriver" #"example/lvm"
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml
+```
+
diff --git a/website/docs/validation/forbidden-sysctls.md b/website/docs/validation/forbidden-sysctls.md
index 2cb1a25f4..1b5b4a27c 100644
--- a/website/docs/validation/forbidden-sysctls.md
+++ b/website/docs/validation/forbidden-sysctls.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspforbiddensysctls
annotations:
metadata.gatekeeper.sh/title: "Forbidden Sysctls"
- metadata.gatekeeper.sh/version: 1.1.1
+ metadata.gatekeeper.sh/version: 1.1.2
description: >-
Controls the `sysctl` profile used by containers. Corresponds to the
`allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy.
@@ -54,8 +54,13 @@ spec:
rego: |
package k8spspforbiddensysctls
+ import data.lib.exclude_update.is_update
+
# Block if forbidden
violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.sysctls field is immutable.
+ not is_update(input.review)
+
sysctl := input.review.object.spec.securityContext.sysctls[_].name
forbidden_sysctl(sysctl)
msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls])
@@ -63,6 +68,7 @@ spec:
# Block if not explicitly allowed
violation[{"msg": msg, "details": {}}] {
+ not is_update(input.review)
sysctl := input.review.object.spec.securityContext.sysctls[_].name
not allowed_sysctl(sysctl)
msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
@@ -97,6 +103,13 @@ spec:
endswith(allowed, "*")
startswith(sysctl, trim_suffix(allowed, "*"))
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
```
@@ -195,6 +208,41 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-forbidden-sysctls-disallowed
+ labels:
+ app: nginx-forbidden-sysctls
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ sysctls:
+ - name: kernel.msgmax
+ value: "65536"
+ - name: net.core.somaxconn
+ value: "1024"
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml
+```
+
diff --git a/website/docs/validation/fsgroup.md b/website/docs/validation/fsgroup.md
index 9e99d2362..6a35e43c0 100644
--- a/website/docs/validation/fsgroup.md
+++ b/website/docs/validation/fsgroup.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspfsgroup
annotations:
metadata.gatekeeper.sh/title: "FS Group"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls allocating an FSGroup that owns the Pod's volumes. Corresponds
to the `fsGroup` field in a PodSecurityPolicy. For more information, see
@@ -59,7 +59,12 @@ spec:
rego: |
package k8spspfsgroup
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.fsGroup field is immutable.
+ not is_update(input.review)
+
spec := input.review.object.spec
not input_fsGroup_allowed(spec)
msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters])
@@ -103,6 +108,13 @@ spec:
has_field(object, field) = true {
object[field]
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
```
@@ -204,6 +216,42 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/fsgroup/samples/psp-fsgroup/example_allowed.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: fsgroup-disallowed
+ spec:
+ securityContext:
+ fsGroup: 2000 # directory will have group ID 2000
+ volumes:
+ - name: fsgroup-demo-vol
+ emptyDir: {}
+ containers:
+ - name: fsgroup-demo
+ image: busybox
+ command: [ "sh", "-c", "sleep 1h" ]
+ volumeMounts:
+ - name: fsgroup-demo-vol
+ mountPath: /data/demo
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml
+```
+
diff --git a/website/docs/validation/host-filesystem.md b/website/docs/validation/host-filesystem.md
index f1f407799..cd7430a09 100644
--- a/website/docs/validation/host-filesystem.md
+++ b/website/docs/validation/host-filesystem.md
@@ -16,7 +16,7 @@ metadata:
name: k8spsphostfilesystem
annotations:
metadata.gatekeeper.sh/title: "Host Filesystem"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls usage of the host filesystem. Corresponds to the
`allowedHostPaths` field in a PodSecurityPolicy. For more information,
@@ -54,7 +54,12 @@ spec:
rego: |
package k8spsphostfilesystem
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
volume := input_hostpath_volumes[_]
allowedPaths := get_allowed_paths(input)
input_hostpath_violation(allowedPaths, volume)
@@ -146,6 +151,13 @@ spec:
input_containers[c] {
c := input.review.object.spec.ephemeralContainers[_]
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
```
@@ -280,6 +292,43 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/disallowed_ephemeral.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-host-filesystem
+ labels:
+ app: nginx-host-filesystem-disallowed
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ readOnly: true
+ volumes:
+ - name: cache-volume
+ hostPath:
+ path: /tmp # directory location on host
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml
+```
+
diff --git a/website/docs/validation/host-namespaces.md b/website/docs/validation/host-namespaces.md
index 869b8a37c..0c433062e 100644
--- a/website/docs/validation/host-namespaces.md
+++ b/website/docs/validation/host-namespaces.md
@@ -16,7 +16,7 @@ metadata:
name: k8spsphostnamespace
annotations:
metadata.gatekeeper.sh/title: "Host Namespace"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Disallows sharing of host PID and IPC namespaces by pod containers.
Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
@@ -41,7 +41,12 @@ spec:
rego: |
package k8spsphostnamespace
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.hostPID and spec.hostIPC fields are immutable.
+ not is_update(input.review)
+
input_share_hostnamespace(input.review.object)
msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
}
@@ -52,6 +57,13 @@ spec:
input_share_hostnamespace(o) {
o.spec.hostIPC
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
```
@@ -138,6 +150,37 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/example_disallowed.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-host-namespace-disallowed
+ labels:
+ app: nginx-host-namespace
+ spec:
+ hostPID: true
+ hostIPC: true
+ containers:
+ - name: nginx
+ image: nginx
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml
+```
+
diff --git a/website/docs/validation/host-network-ports.md b/website/docs/validation/host-network-ports.md
index 96827b4fa..373d1ab3f 100644
--- a/website/docs/validation/host-network-ports.md
+++ b/website/docs/validation/host-network-ports.md
@@ -16,7 +16,7 @@ metadata:
name: k8spsphostnetworkingports
annotations:
metadata.gatekeeper.sh/title: "Host Networking Ports"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls usage of host network namespace by pod containers. Specific
ports must be specified. Corresponds to the `hostNetwork` and
@@ -61,9 +61,13 @@ spec:
rego: |
package k8spsphostnetworkingports
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.hostNetwork field is immutable.
+ not is_update(input.review)
+
input_share_hostnetwork(input.review.object)
msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters])
}
@@ -98,6 +102,12 @@ spec:
not is_exempt(c)
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
@@ -240,6 +250,39 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/disallowed_ephemeral.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-host-networking-ports-disallowed
+ labels:
+ app: nginx-host-networking-ports
+ spec:
+ hostNetwork: true
+ containers:
+ - name: nginx
+ image: nginx
+ ports:
+ - containerPort: 9001
+ hostPort: 9001
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml
+```
+
diff --git a/website/docs/validation/privileged-containers.md b/website/docs/validation/privileged-containers.md
index b4c1f5532..ef596bbde 100644
--- a/website/docs/validation/privileged-containers.md
+++ b/website/docs/validation/privileged-containers.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspprivilegedcontainer
annotations:
metadata.gatekeeper.sh/title: "Privileged Container"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
@@ -51,9 +51,13 @@ spec:
rego: |
package k8spspprivileged
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.privileged field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
c.securityContext.privileged
@@ -72,6 +76,12 @@ spec:
c := input.review.object.spec.ephemeralContainers[_]
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
@@ -205,6 +215,37 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/disallowed_ephemeral.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-privileged-disallowed
+ labels:
+ app: nginx-privileged
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ privileged: true
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml
+```
+
diff --git a/website/docs/validation/proc-mount.md b/website/docs/validation/proc-mount.md
index ae322778e..e792ff25b 100644
--- a/website/docs/validation/proc-mount.md
+++ b/website/docs/validation/proc-mount.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspprocmount
annotations:
metadata.gatekeeper.sh/title: "Proc Mount"
- metadata.gatekeeper.sh/version: 1.0.1
+ metadata.gatekeeper.sh/version: 1.0.2
description: >-
Controls the allowed `procMount` types for the container. Corresponds to
the `allowedProcMountTypes` field in a PodSecurityPolicy. For more
@@ -62,9 +62,13 @@ spec:
rego: |
package k8spspprocmount
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.procMount field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
allowedProcMount := get_allowed_proc_mount(input)
@@ -118,6 +122,12 @@ spec:
lower(str) == "unmasked"
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
@@ -252,6 +262,37 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/proc-mount/samples/psp-proc-mount/disallowed_ephemeral.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-proc-mount-disallowed
+ labels:
+ app: nginx-proc-mount
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ procMount: Unmasked #Default
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml
+```
+
diff --git a/website/docs/validation/read-only-root-filesystem.md b/website/docs/validation/read-only-root-filesystem.md
index d2f0a3e26..cefd32931 100644
--- a/website/docs/validation/read-only-root-filesystem.md
+++ b/website/docs/validation/read-only-root-filesystem.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspreadonlyrootfilesystem
annotations:
metadata.gatekeeper.sh/title: "Read Only Root Filesystem"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Requires the use of a read-only root file system by pod containers.
Corresponds to the `readOnlyRootFilesystem` field in a
@@ -52,9 +52,13 @@ spec:
rego: |
package k8spspreadonlyrootfilesystem
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.readOnlyRootFilesystem field is immutable.
+ not is_update(input.review)
+
c := input_containers[_]
not is_exempt(c)
input_read_only_root_fs(c)
@@ -83,6 +87,12 @@ spec:
object[field]
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
@@ -215,6 +225,37 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-readonlyrootfilesystem-disallowed
+ labels:
+ app: nginx-readonlyrootfilesystem
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ readOnlyRootFilesystem: false
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml
+```
+
diff --git a/website/docs/validation/requiredprobes.md b/website/docs/validation/requiredprobes.md
index fd0e743c5..4561c24f7 100644
--- a/website/docs/validation/requiredprobes.md
+++ b/website/docs/validation/requiredprobes.md
@@ -16,7 +16,7 @@ metadata:
name: k8srequiredprobes
annotations:
metadata.gatekeeper.sh/title: "Required Probes"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: Requires Pods to have readiness and/or liveness probes.
spec:
crd:
@@ -42,11 +42,16 @@ spec:
rego: |
package k8srequiredprobes
+ import data.lib.exclude_update.is_update
+
probe_type_set = probe_types {
probe_types := {type | type := input.parameters.probeTypes[_]}
}
violation[{"msg": msg}] {
+ # Probe fields are immutable.
+ not is_update(input.review)
+
container := input.review.object.spec.containers[_]
probe := input.parameters.probes[_]
probe_is_missing(container, probe)
@@ -70,6 +75,13 @@ spec:
get_violation_message(container, review, probe) = msg {
msg := sprintf("Container <%v> in your <%v> <%v> has no <%v>", [container.name, review.kind.kind, review.object.metadata.name, probe])
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
```
@@ -243,6 +255,55 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/requiredprobes/samples/must-have-probes/example_disallowed2.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: test-pod1
+ spec:
+ containers:
+ - name: nginx-1
+ image: nginx:1.7.9
+ ports:
+ - containerPort: 80
+ livenessProbe:
+ # tcpSocket:
+ # port: 80
+ # initialDelaySeconds: 5
+ # periodSeconds: 10
+ volumeMounts:
+ - mountPath: /tmp/cache
+ name: cache-volume
+ - name: tomcat
+ image: tomcat
+ ports:
+ - containerPort: 8080
+ readinessProbe:
+ tcpSocket:
+ port: 8080
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ volumes:
+ - name: cache-volume
+ emptyDir: {}
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/requiredprobes/samples/must-have-probes/update.yaml
+```
+
diff --git a/website/docs/validation/selinux.md b/website/docs/validation/selinux.md
index 3366abc23..f44f5588a 100644
--- a/website/docs/validation/selinux.md
+++ b/website/docs/validation/selinux.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspselinuxv2
annotations:
metadata.gatekeeper.sh/title: "SELinux V2"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Defines an allow-list of seLinuxOptions configurations for pod
containers. Corresponds to a PodSecurityPolicy requiring SELinux configs.
@@ -71,16 +71,23 @@ spec:
rego: |
package k8spspselinux
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
# Disallow top level custom SELinux options
violation[{"msg": msg, "details": {}}] {
+ # spec.securityContext.seLinuxOptions field is immutable.
+ not is_update(input.review)
+
has_field(input.review.object.spec.securityContext, "seLinuxOptions")
not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions)
msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions])
}
# Disallow container level custom SELinux options
violation[{"msg": msg, "details": {}}] {
+ # spec.containers.securityContext.seLinuxOptions field is immutable.
+ not is_update(input.review)
+
c := input_security_context[_]
not is_exempt(c)
has_field(c.securityContext, "seLinuxOptions")
@@ -121,6 +128,12 @@ spec:
object[field]
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
@@ -271,6 +284,41 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/selinux/samples/psp-selinux-v2/disallowed_ephemeral.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-selinux-disallowed
+ labels:
+ app: nginx-selinux
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ seLinuxOptions:
+ level: s1:c234,c567
+ user: sysadm_u
+ role: sysadm_r
+ type: svirt_lxc_net_t
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml
+```
+
diff --git a/website/docs/validation/users.md b/website/docs/validation/users.md
index 9fe178fc3..69d592ca8 100644
--- a/website/docs/validation/users.md
+++ b/website/docs/validation/users.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspallowedusers
annotations:
metadata.gatekeeper.sh/title: "Allowed Users"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Controls the user and group IDs of the container and some volumes.
Corresponds to the `runAsUser`, `runAsGroup`, `supplementalGroups`, and
@@ -147,9 +147,13 @@ spec:
rego: |
package k8spspallowedusers
+ import data.lib.exclude_update.is_update
import data.lib.exempt_container.is_exempt
violation[{"msg": msg}] {
+ # runAsUser, runAsGroup, supplementalGroups, fsGroup fields are immutable.
+ not is_update(input.review)
+
fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"]
field := fields[_]
container := input_containers[_]
@@ -272,6 +276,12 @@ spec:
c := input.review.object.spec.ephemeralContainers[_]
}
libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
- |
package lib.exempt_container
@@ -440,6 +450,42 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-users-disallowed
+ labels:
+ app: nginx-users
+ spec:
+ securityContext:
+ supplementalGroups:
+ - 250
+ fsGroup: 250
+ containers:
+ - name: nginx
+ image: nginx
+ securityContext:
+ runAsUser: 250
+ runAsGroup: 250
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml
+```
+
diff --git a/website/docs/validation/volumes.md b/website/docs/validation/volumes.md
index 11c6307d3..b2ed0f55d 100644
--- a/website/docs/validation/volumes.md
+++ b/website/docs/validation/volumes.md
@@ -16,7 +16,7 @@ metadata:
name: k8spspvolumetypes
annotations:
metadata.gatekeeper.sh/title: "Volume Types"
- metadata.gatekeeper.sh/version: 1.0.0
+ metadata.gatekeeper.sh/version: 1.0.1
description: >-
Restricts mountable volume types to those specified by the user.
Corresponds to the `volumes` field in a PodSecurityPolicy. For more
@@ -47,7 +47,12 @@ spec:
rego: |
package k8spspvolumetypes
+ import data.lib.exclude_update.is_update
+
violation[{"msg": msg, "details": {}}] {
+ # spec.volumes field is immutable.
+ not is_update(input.review)
+
volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"}
field := volume_fields[_]
not input_volume_type_allowed(field)
@@ -62,6 +67,13 @@ spec:
input_volume_type_allowed(field) {
field == input.parameters.volumes[_]
}
+ libs:
+ - |
+ package lib.exclude_update
+
+ is_update(review) {
+ review.operation == "UPDATE"
+ }
```
@@ -182,6 +194,49 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/volumes/samples/psp-volume-types/example_allowed.yaml
```
+
+
+update
+
+```yaml
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+ operation: "UPDATE"
+ object:
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: nginx-volume-types-disallowed
+ labels:
+ app: nginx-volume-types
+ spec:
+ containers:
+ - name: nginx
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache
+ name: cache-volume
+ - name: nginx2
+ image: nginx
+ volumeMounts:
+ - mountPath: /cache2
+ name: demo-vol
+ volumes:
+ - name: cache-volume
+ hostPath:
+ path: /tmp # directory location on host
+ - name: demo-vol
+ emptyDir: {}
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml
+```
+