feat(cel): add ValidatingAdmissionPolicyBinding and auditAnnotations

Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>
portefaix · Jul 2, 2024 · e067e05 · e067e05
1 parent 7f69549
commit e067e05
Show file tree

Hide file tree

Showing 8 changed files with 98 additions and 9 deletions.
diff --git a/cel/C0001-container-image-tag/policy-C0001.yaml b/cel/C0001-container-image-tag/policy-C0001.yaml
@@ -14,6 +14,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+---
 apiVersion: admissionregistration.k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicy
 metadata:
@@ -34,7 +35,18 @@ spec:
       operations:  ["CREATE", "UPDATE"]
       resources:   ["jobs","cronjobs"]
   validations:
-  - expression: "object.spec.template.spec.containers.all(c, !c.image.endsWith(params.spec.excludeTags))"
-    message: "cannot use the latest tag"
+  - expression: "object.spec.template.spec.containers.all(c, !c.image.contains(':latest'))"
+    message: "Cannot use the latest tag"
   - expression: 'object.spec.containers.all(c, c.image.matches("[0-9]+\\.[0-9]+\\.[0-9]$"))'
-    message: "Container images have a semver version"
+    message: "Container images have a SemVer version"
+  auditAnnotations:
+  - key: "container-invalid-image-tag"
+    valueExpression: "Container image must have a SemVer version and not lastest tag"
+---
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: c0001.container.portefaix.xyz
+spec:
+  policyName: c0001.container.portefaix.xyz
+  validationActions: [Warn, Audit]
diff --git a/cel/C0002-container-liveness-probe/policy-C0002.yaml b/cel/C0002-container-liveness-probe/policy-C0002.yaml
@@ -37,8 +37,19 @@ spec:
       resources:   ["jobs","cronjobs"]
   validations:
     - expression: "object.kind != 'Pod' || object.spec.containers.all(container, has(container.livenessProbe))"
-      message: "Readiness probe is required"
+      message: "Liveness probe is required"
     - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, has(container.livenessProbe))"
-      message: "Readiness probe is required"
+      message: "Liveness probe is required"
     - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, has(container.livenessProbe))"
-      message: "Readiness probe is required"
+      message: "Liveness probe is required"
+  auditAnnotations:
+  - key: "container-liveness-probe"
+    valueExpression: "Liveness probe is required"
+---
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: c0002.container.portefaix.xyz
+spec:
+  policyName: c0002.container.portefaix.xyz
+  validationActions: [Warn, Audit]
diff --git a/cel/C0003-container-readiness-probe/policy-C0003.yaml b/cel/C0003-container-readiness-probe/policy-C0003.yaml
@@ -42,3 +42,14 @@ spec:
       message: "Readiness probe is required"
     - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.template.spec.containers.all(container, has(container.readinessProbe))"
       message: "Readiness probe is required"
+    auditAnnotations:
+  - key: "container-readiness-probe"
+    valueExpression: "Readiness probe is required"
+---
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: c0003.container.portefaix.xyz
+spec:
+  policyName: c0003.container.portefaix.xyz
+  validationActions: [Warn, Audit]
diff --git a/cel/C0008-container-resources/policy-C0008.yaml b/cel/C0008-container-resources/policy-C0008.yaml
@@ -65,3 +65,14 @@ spec:
         has(container.resources.limits) &&
         has(container.resources.limits.memory))
       message: "CPU and memory resource requests and limits are required."
+  auditAnnotations:
+  - key: "container-resources-requests-limits"
+    valueExpression: "CPU and Memory resource requests and limits are required"
+---
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: c0008.container.portefaix.xyz
+spec:
+  policyName: c0008.container.portefaix.xyz
+  validationActions: [Warn, Audit]
diff --git a/cel/M0001-metadata-labels/policy-M0001.yaml b/cel/M0001-metadata-labels/policy-M0001.yaml
@@ -48,4 +48,15 @@ spec:
       'app.kubernetes.io/component' in object.metadata.labels &&
       'app.kubernetes.io/part-of' in object.metadata.labels &&
       'app.kubernetes.io/managed-by' in object.metadata.labels
-    message: "Kubernetes recommanded labels is required."
+    message: "Kubernetes recommended labels is required."
+  auditAnnotations:
+  - key: "metadata-kubernetes-recommended-labels"
+    valueExpression: "Kubernetes recommended labels is required"
+---
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: m0001.container.portefaix.xyz
+spec:
+  policyName: m0001.container.portefaix.xyz
+  validationActions: [Warn, Audit]
diff --git a/cel/M0002-metadata-annotations/policy-M0002.yaml b/cel/M0002-metadata-annotations/policy-M0002.yaml
@@ -48,3 +48,14 @@ spec:
       'a8r.io/repository' in object.metadata.labels &&
       'a8r.io/support' in object.metadata.labels
     message: "a8r.io annotations is required."
+  auditAnnotations:
+  - key: "metadata-a8r-io-recommended-annotations"
+    valueExpression: "a8r.io annotations is required"
+---
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: m0002.container.portefaix.xyz
+spec:
+  policyName: m0002.container.portefaix.xyz
+  validationActions: [Warn, Audit]
diff --git a/cel/M0003-metadata-portefaix-labels/policy-M0003.yaml b/cel/M0003-metadata-portefaix-labels/policy-M0003.yaml
@@ -42,4 +42,15 @@ spec:
   validations:
   - expression: >
       'portefaix.xyz/version' in object.metadata.labels
-    message: "Portefaix recommanded labels is required."
+    message: "Portefaix recommended labels is required."
+  auditAnnotations:
+  - key: "metadata-portefaix-recommended-labels"
+    valueExpression: "Portefaix recommended labels is required"
+---
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: m0003.container.portefaix.xyz
+spec:
+  policyName: m0003.container.portefaix.xyz
+  validationActions: [Warn, Audit]
diff --git a/cel/N0001-namespace-default/policy-N0001.yaml b/cel/N0001-namespace-default/policy-N0001.yaml
@@ -37,4 +37,15 @@ spec:
       resources:   ["jobs","cronjobs"]
   validations:
     - expression: "['Pod','Deployment','ReplicaSet','DaemonSet','StatefulSet','Job', 'CronJob'].all(kind, object.kind != kind) || (has(object.metadata.namespace) && object.metadata.namespace != 'default')"
-      message: "Workloads in default namespace are not allowed"
+      message: "Resources in default namespace are not allowed"
+  auditAnnotations:
+  - key: "default-namespace-not-allowed"
+    valueExpression: "Resources in default namespace are not allowed"
+---
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: n0001.container.portefaix.xyz
+spec:
+  policyName: n0001.container.portefaix.xyz
+  validationActions: [Warn, Audit]