Skip to content

Commit

Permalink
Merge branch 'main' into pod-security-cel-test-generated-vaps
Browse files Browse the repository at this point in the history
  • Loading branch information
@JimBugwadia
JimBugwadia committed Aug 27, 2024
2 parents c743e5b + 97ada83 commit 7833593
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 71 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/check-actions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # v3.0.10
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@3c16e895bb662b4d7e284f032cbe8835a57773cc # v3.0.11
with:
allowlist: |
kyverno/chainsaw
2 changes: 1 addition & 1 deletion pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: d842a1741805d9480e9a571a80117f4e2c6210b0d984d1c22e54545c3df9dd0d
digest: 03aa7b1e6017f42e75639c61a6593e1ac241ba1f158b72eaa8751c60b6c9d0f5
createdAt: "2023-12-03T00:22:33Z"
91 changes: 22 additions & 69 deletions pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,52 +28,24 @@ spec:
- UPDATE
validate:
cel:
variables:
- name: allContainerTypes
expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
- name: seLinuxTypes
expression: "['container_t', 'container_init_t', 'container_kvm_t']"
expressions:
- expression: >-
!has(object.spec.securityContext) ||
- expression: >-
(!has(object.spec.securityContext) ||
!has(object.spec.securityContext.seLinuxOptions) ||
!has(object.spec.securityContext.seLinuxOptions.type) ||
object.spec.securityContext.seLinuxOptions.type == 'container_t' ||
object.spec.securityContext.seLinuxOptions.type == 'container_init_t' ||
object.spec.securityContext.seLinuxOptions.type == 'container_kvm_t'
message: >-
Setting the SELinux type is restricted. The field spec.securityContext.seLinuxOptions.type
must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
!has(container.securityContext.seLinuxOptions.type) ||
container.securityContext.seLinuxOptions.type == 'container_t' ||
container.securityContext.seLinuxOptions.type == 'container_init_t' ||
container.securityContext.seLinuxOptions.type == 'container_kvm_t')
message: >-
Setting the SELinux type is restricted. The field spec.containers[*].securityContext.seLinuxOptions.type
must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
!has(container.securityContext.seLinuxOptions.type) ||
container.securityContext.seLinuxOptions.type == 'container_t' ||
container.securityContext.seLinuxOptions.type == 'container_init_t' ||
container.securityContext.seLinuxOptions.type == 'container_kvm_t')
message: >-
Setting the SELinux type is restricted. The field spec.initContainers[*].securityContext.seLinuxOptions.type
must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
variables.seLinuxTypes.exists(type, type == object.spec.securityContext.seLinuxOptions.type)) &&
variables.allContainerTypes.all(container,
!has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
!has(container.securityContext.seLinuxOptions.type) ||
container.securityContext.seLinuxOptions.type == 'container_t' ||
container.securityContext.seLinuxOptions.type == 'container_init_t' ||
container.securityContext.seLinuxOptions.type == 'container_kvm_t')
variables.seLinuxTypes.exists(type, type == container.securityContext.seLinuxOptions.type))
message: >-
Setting the SELinux type is restricted. The field spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
Setting the SELinux type is restricted. The field securityContext.seLinuxOptions.type must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
- name: selinux-user-role
match:
any:
Expand All @@ -85,37 +57,18 @@ spec:
- UPDATE
validate:
cel:
variables:
- name: allContainerTypes
expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
expressions:
- expression: >-
!has(object.spec.securityContext) ||
- expression: >-
(!has(object.spec.securityContext) ||
!has(object.spec.securityContext.seLinuxOptions) ||
(!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role))
message: >-
Setting the SELinux user or role is forbidden. The fields
spec.securityContext.seLinuxOptions.user and spec.securityContext.seLinuxOptions.role must be unset.
- expression: >-
object.spec.containers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
(!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
message: >-
Setting the SELinux user or role is forbidden. The fields
spec.containers[*].securityContext.seLinuxOptions.user and spec.containers[*].securityContext.seLinuxOptions.role must be unset.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
(!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
message: >-
Setting the SELinux user or role is forbidden. The fields
spec.initContainers[*].securityContext.seLinuxOptions.user and spec.initContainers[*].securityContext.seLinuxOptions.role must be unset.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
(!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role))) &&
variables.allContainerTypes.all(container,
!has(container.securityContext) ||
!has(container.securityContext.seLinuxOptions) ||
(!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
message: >-
Setting the SELinux user or role is forbidden. The fields
spec.ephemeralContainers[*].securityContext.seLinuxOptions.user and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role must be unset.
Setting the SELinux user or role is forbidden. The fields seLinuxOptions.user and seLinuxOptions.role must be unset.

0 comments on commit 7833593

Please sign in to comment.