-
Notifications
You must be signed in to change notification settings - Fork 327
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into check-strict
- Loading branch information
Showing
20 changed files
with
752 additions
and
3 deletions.
There are no files selected for viewing
22 changes: 22 additions & 0 deletions
22
artifacthub/library/general/disallowinteractive/1.0.0/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
version: 1.0.0 | ||
name: k8sdisallowinteractivetty | ||
displayName: Disallow Interactive TTY Containers | ||
createdAt: "2023-04-27T21:41:24Z" | ||
description: Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. | ||
digest: c462c392ee271922f97e53d084646857dbbc97f496382e9b5c117532ccf3b5bc | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/disallowinteractive | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# Disallow Interactive TTY Containers | ||
Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/disallowinteractive/1.0.0/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/general/disallowinteractive/1.0.0/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
9 changes: 9 additions & 0 deletions
9
...brary/general/disallowinteractive/1.0.0/samples/no-interactive-containers/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sDisallowInteractiveTTY | ||
metadata: | ||
name: no-interactive-tty-containers | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] |
12 changes: 12 additions & 0 deletions
12
.../general/disallowinteractive/1.0.0/samples/no-interactive-containers/example_allowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-interactive-tty-allowed | ||
labels: | ||
app: nginx-interactive-tty | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
stdin: false | ||
tty: false |
12 changes: 12 additions & 0 deletions
12
...neral/disallowinteractive/1.0.0/samples/no-interactive-containers/example_disallowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privilege-escalation-disallowed | ||
labels: | ||
app: nginx-privilege-escalation | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
stdin: true | ||
tty: true |
17 changes: 17 additions & 0 deletions
17
artifacthub/library/general/disallowinteractive/1.0.0/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: disallowinteractive | ||
tests: | ||
- name: disallow-interactive | ||
template: template.yaml | ||
constraint: samples/no-interactive-containers/constraint.yaml | ||
cases: | ||
- name: example-allowed | ||
object: samples/no-interactive-containers/example_allowed.yaml | ||
assertions: | ||
- violations: no | ||
- name: example-disallowed | ||
object: samples/no-interactive-containers/example_disallowed.yaml | ||
assertions: | ||
- violations: yes |
88 changes: 88 additions & 0 deletions
88
artifacthub/library/general/disallowinteractive/1.0.0/template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8sdisallowinteractivetty | ||
annotations: | ||
metadata.gatekeeper.sh/title: "Disallow Interactive TTY Containers" | ||
metadata.gatekeeper.sh/version: 1.0.0 | ||
description: >- | ||
Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sDisallowInteractiveTTY | ||
validation: | ||
# Schema for the `parameters` field | ||
openAPIV3Schema: | ||
type: object | ||
description: >- | ||
Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and | ||
`stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`. | ||
properties: | ||
exemptImages: | ||
description: >- | ||
Any container that uses an image that matches an entry in this list will be excluded | ||
from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. | ||
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) | ||
in order to avoid unexpectedly exempting images from an untrusted repository. | ||
type: array | ||
items: | ||
type: string | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
rego: | | ||
package k8sdisallowinteractivetty | ||
import data.lib.exempt_container.is_exempt | ||
violation[{"msg": msg, "details": {}}] { | ||
c := input_containers[_] | ||
not is_exempt(c) | ||
input_allow_interactive_fields(c) | ||
msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image]) | ||
} | ||
input_allow_interactive_fields(c) { | ||
has_field(c, "stdin") | ||
not c.stdin == false | ||
} | ||
input_allow_interactive_fields(c) { | ||
has_field(c, "tty") | ||
not c.tty == false | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.containers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.ephemeralContainers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.initContainers[_] | ||
} | ||
# has_field returns whether an object has a field | ||
has_field(object, field) = true { | ||
object[field] | ||
} | ||
libs: | ||
- | | ||
package lib.exempt_container | ||
is_exempt(container) { | ||
exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) | ||
img := container.image | ||
exemption := exempt_images[_] | ||
_matches_exemption(img, exemption) | ||
} | ||
_matches_exemption(img, exemption) { | ||
not endswith(exemption, "*") | ||
exemption == img | ||
} | ||
_matches_exemption(img, exemption) { | ||
endswith(exemption, "*") | ||
prefix := trim_suffix(exemption, "*") | ||
startswith(img, prefix) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
9 changes: 9 additions & 0 deletions
9
library/general/disallowinteractive/samples/no-interactive-containers/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sDisallowInteractiveTTY | ||
metadata: | ||
name: no-interactive-tty-containers | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: [""] | ||
kinds: ["Pod"] |
12 changes: 12 additions & 0 deletions
12
library/general/disallowinteractive/samples/no-interactive-containers/example_allowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-interactive-tty-allowed | ||
labels: | ||
app: nginx-interactive-tty | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
stdin: false | ||
tty: false |
12 changes: 12 additions & 0 deletions
12
...ary/general/disallowinteractive/samples/no-interactive-containers/example_disallowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx-privilege-escalation-disallowed | ||
labels: | ||
app: nginx-privilege-escalation | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
stdin: true | ||
tty: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: disallowinteractive | ||
tests: | ||
- name: disallow-interactive | ||
template: template.yaml | ||
constraint: samples/no-interactive-containers/constraint.yaml | ||
cases: | ||
- name: example-allowed | ||
object: samples/no-interactive-containers/example_allowed.yaml | ||
assertions: | ||
- violations: no | ||
- name: example-disallowed | ||
object: samples/no-interactive-containers/example_disallowed.yaml | ||
assertions: | ||
- violations: yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8sdisallowinteractivetty | ||
annotations: | ||
metadata.gatekeeper.sh/title: "Disallow Interactive TTY Containers" | ||
metadata.gatekeeper.sh/version: 1.0.0 | ||
description: >- | ||
Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sDisallowInteractiveTTY | ||
validation: | ||
# Schema for the `parameters` field | ||
openAPIV3Schema: | ||
type: object | ||
description: >- | ||
Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and | ||
`stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`. | ||
properties: | ||
exemptImages: | ||
description: >- | ||
Any container that uses an image that matches an entry in this list will be excluded | ||
from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. | ||
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) | ||
in order to avoid unexpectedly exempting images from an untrusted repository. | ||
type: array | ||
items: | ||
type: string | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
rego: | | ||
package k8sdisallowinteractivetty | ||
import data.lib.exempt_container.is_exempt | ||
violation[{"msg": msg, "details": {}}] { | ||
c := input_containers[_] | ||
not is_exempt(c) | ||
input_allow_interactive_fields(c) | ||
msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image]) | ||
} | ||
input_allow_interactive_fields(c) { | ||
has_field(c, "stdin") | ||
not c.stdin == false | ||
} | ||
input_allow_interactive_fields(c) { | ||
has_field(c, "tty") | ||
not c.tty == false | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.containers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.ephemeralContainers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.initContainers[_] | ||
} | ||
# has_field returns whether an object has a field | ||
has_field(object, field) = true { | ||
object[field] | ||
} | ||
libs: | ||
- | | ||
package lib.exempt_container | ||
is_exempt(container) { | ||
exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) | ||
img := container.image | ||
exemption := exempt_images[_] | ||
_matches_exemption(img, exemption) | ||
} | ||
_matches_exemption(img, exemption) { | ||
not endswith(exemption, "*") | ||
exemption == img | ||
} | ||
_matches_exemption(img, exemption) { | ||
endswith(exemption, "*") | ||
prefix := trim_suffix(exemption, "*") | ||
startswith(img, prefix) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8sdisallowinteractivetty | ||
annotations: | ||
metadata.gatekeeper.sh/title: "Disallow Interactive TTY Containers" | ||
metadata.gatekeeper.sh/version: 1.0.0 | ||
description: >- | ||
Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sDisallowInteractiveTTY | ||
validation: | ||
# Schema for the `parameters` field | ||
openAPIV3Schema: | ||
type: object | ||
description: >- | ||
Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and | ||
`stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`. | ||
properties: | ||
exemptImages: | ||
description: >- | ||
Any container that uses an image that matches an entry in this list will be excluded | ||
from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. | ||
|
||
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) | ||
in order to avoid unexpectedly exempting images from an untrusted repository. | ||
type: array | ||
items: | ||
type: string | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
rego: | | ||
{{ file.Read "src/general/disallowinteractive/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} | ||
libs: | ||
- | | ||
{{ file.Read "src/general/disallowinteractive/lib_exempt_container.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
package lib.exempt_container | ||
|
||
is_exempt(container) { | ||
exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) | ||
img := container.image | ||
exemption := exempt_images[_] | ||
_matches_exemption(img, exemption) | ||
} | ||
|
||
_matches_exemption(img, exemption) { | ||
not endswith(exemption, "*") | ||
exemption == img | ||
} | ||
|
||
_matches_exemption(img, exemption) { | ||
endswith(exemption, "*") | ||
prefix := trim_suffix(exemption, "*") | ||
startswith(img, prefix) | ||
} |
Oops, something went wrong.