-
Notifications
You must be signed in to change notification settings - Fork 330
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add cel for forbidden-sysctls Signed-off-by: Rita Zhang <[email protected]> * add tests and update messageExpression Signed-off-by: Rita Zhang <[email protected]> * update rego for unspecified allowedSysctls Signed-off-by: Rita Zhang <[email protected]> --------- Signed-off-by: Rita Zhang <[email protected]>
- Loading branch information
Showing
24 changed files
with
1,176 additions
and
117 deletions.
There are no files selected for viewing
36 changes: 36 additions & 0 deletions
36
artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| # Forbidden Sysctls security context policy | ||
|
|
||
| The forbidden sysctls constraint allows one to limit the set of kernel parameters that can be modified by pods. This is accomplished by specifying a combination of allowed and forbidden sysctls using either of two parameters: `allowedSysctls` and `forbiddenSysctls`. | ||
|
|
||
| ## Parameters | ||
|
|
||
| `allowedSysctls`: A list of explicitly allowed sysctls. Any sysctl not in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter. | ||
|
|
||
| `forbiddenSysctls`: A list of explicitly denied sysctls. Any sysctl in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter. | ||
|
|
||
| ## Examples | ||
|
|
||
| ```yaml | ||
| parameters: | ||
| allowedSysctls: ['*'] | ||
| forbiddenSysctls: | ||
| - kernel.msg* | ||
| - net.core.somaxconn | ||
| ``` | ||
| ```yaml | ||
| parameters: | ||
| allowedSysctls: | ||
| - kernel.shm_rmid_forced | ||
| - net.ipv4.ip_local_port_range | ||
| - net.ipv4.tcp_syncookies | ||
| - net.ipv4.ping_group_range | ||
| forbiddenSysctls: [] | ||
| ``` | ||
| *Note*: `forbiddenSysctls` takes precedence, such that an explicitly forbidden sysctl is still forbidden even if it appears in `allowedSysctls` as well. However in practice, such overlap between the rules should be avoided. | ||
|
|
||
| ## References | ||
|
|
||
| * [Using sysctls in a Kubernetes Cluster](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) | ||
| * [Kubernetes API Reference - Sysctl](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#sysctl-v1-core) |
22 changes: 22 additions & 0 deletions
22
artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| version: 1.2.0 | ||
| name: k8spspforbiddensysctls | ||
| displayName: Forbidden Sysctls | ||
| createdAt: "2024-07-05T17:47:31Z" | ||
| description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | ||
| digest: f17aa53b0129445cc5899d534c3c3904f8843c517cc401a13b5f07aaa6e0cca8 | ||
| license: Apache-2.0 | ||
| homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls | ||
| keywords: | ||
| - gatekeeper | ||
| - open-policy-agent | ||
| - policies | ||
| readme: |- | ||
| # Forbidden Sysctls | ||
| Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | ||
| install: |- | ||
| ### Usage | ||
| ```shell | ||
| kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml | ||
| ``` | ||
| provider: | ||
| name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| resources: | ||
| - template.yaml |
15 changes: 15 additions & 0 deletions
15
...pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
| kind: K8sPSPForbiddenSysctls | ||
| metadata: | ||
| name: psp-forbidden-sysctls | ||
| spec: | ||
| match: | ||
| kinds: | ||
| - apiGroups: [""] | ||
| kinds: ["Pod"] | ||
| parameters: | ||
| forbiddenSysctls: | ||
| # - "*" # * may be used to forbid all sysctls | ||
| - kernel.* | ||
| allowedSysctls: | ||
| - "*" # allows all sysctls. allowedSysctls is optional. |
14 changes: 14 additions & 0 deletions
14
...od-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
| kind: K8sPSPForbiddenSysctls | ||
| metadata: | ||
| name: psp-forbidden-sysctls | ||
| spec: | ||
| match: | ||
| kinds: | ||
| - apiGroups: [""] | ||
| kinds: ["Pod"] | ||
| parameters: | ||
| forbiddenSysctls: | ||
| - "*" # * forbid all sysctls | ||
| allowedSysctls: | ||
| - "*" # allows all sysctls. allowedSysctls is optional. |
15 changes: 15 additions & 0 deletions
15
...od-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint3.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
| kind: K8sPSPForbiddenSysctls | ||
| metadata: | ||
| name: psp-forbidden-sysctls | ||
| spec: | ||
| match: | ||
| kinds: | ||
| - apiGroups: [""] | ||
| kinds: ["Pod"] | ||
| parameters: | ||
| forbiddenSysctls: | ||
| # - "*" # * may be used to forbid all sysctls | ||
| - kernel.* | ||
| allowedSysctls: | ||
| - "net.*" |
14 changes: 14 additions & 0 deletions
14
...od-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint4.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
| kind: K8sPSPForbiddenSysctls | ||
| metadata: | ||
| name: psp-forbidden-sysctls | ||
| spec: | ||
| match: | ||
| kinds: | ||
| - apiGroups: [""] | ||
| kinds: ["Pod"] | ||
| parameters: | ||
| forbiddenSysctls: | ||
| # - "*" # * may be used to forbid all sysctls | ||
| - kernel.* | ||
| allowedSysctls: [] # empty allowedSysctls means all sysctls are forbidden |
14 changes: 14 additions & 0 deletions
14
...od-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint5.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
| kind: K8sPSPForbiddenSysctls | ||
| metadata: | ||
| name: psp-forbidden-sysctls | ||
| spec: | ||
| match: | ||
| kinds: | ||
| - apiGroups: [""] | ||
| kinds: ["Pod"] | ||
| parameters: | ||
| forbiddenSysctls: | ||
| # - "*" # * may be used to forbid all sysctls | ||
| - kernel.* | ||
| # unspecified allowedSysctls will not place any restrictions |
14 changes: 14 additions & 0 deletions
14
...ecurity-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/example_allowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-forbidden-sysctls-allowed | ||
| labels: | ||
| app: nginx-forbidden-sysctls | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx | ||
| securityContext: | ||
| sysctls: | ||
| - name: net.core.somaxconn | ||
| value: "1024" |
16 changes: 16 additions & 0 deletions
16
...rity-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/example_disallowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-forbidden-sysctls-disallowed | ||
| labels: | ||
| app: nginx-forbidden-sysctls | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx | ||
| securityContext: | ||
| sysctls: | ||
| - name: kernel.msgmax | ||
| value: "65536" | ||
| - name: net.core.somaxconn | ||
| value: "1024" |
21 changes: 21 additions & 0 deletions
21
...ary/pod-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/update.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| kind: AdmissionReview | ||
| apiVersion: admission.k8s.io/v1beta1 | ||
| request: | ||
| operation: "UPDATE" | ||
| object: | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-forbidden-sysctls-disallowed | ||
| labels: | ||
| app: nginx-forbidden-sysctls | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx | ||
| securityContext: | ||
| sysctls: | ||
| - name: kernel.msgmax | ||
| value: "65536" | ||
| - name: net.core.somaxconn | ||
| value: "1024" |
85 changes: 85 additions & 0 deletions
85
artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| kind: Suite | ||
| apiVersion: test.gatekeeper.sh/v1alpha1 | ||
| metadata: | ||
| name: forbidden-sysctls | ||
| tests: | ||
| - name: forbidden-sysctls | ||
| template: template.yaml | ||
| constraint: samples/psp-forbidden-sysctls/constraint.yaml | ||
| cases: | ||
| - name: example-disallowed | ||
| object: samples/psp-forbidden-sysctls/example_disallowed.yaml | ||
| assertions: | ||
| - violations: yes | ||
| - name: example-allowed | ||
| object: samples/psp-forbidden-sysctls/example_allowed.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: update | ||
| object: samples/psp-forbidden-sysctls/update.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: forbidden-sysctls-wildcard | ||
| template: template.yaml | ||
| constraint: samples/psp-forbidden-sysctls/constraint2.yaml | ||
| cases: | ||
| - name: example-disallowed | ||
| object: samples/psp-forbidden-sysctls/example_disallowed.yaml | ||
| assertions: | ||
| - violations: yes | ||
| - name: example-disallowed | ||
| object: samples/psp-forbidden-sysctls/example_allowed.yaml | ||
| assertions: | ||
| - violations: yes | ||
| - name: update | ||
| object: samples/psp-forbidden-sysctls/update.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: forbidden-sysctls3 | ||
| template: template.yaml | ||
| constraint: samples/psp-forbidden-sysctls/constraint3.yaml | ||
| cases: | ||
| - name: example-disallowed | ||
| object: samples/psp-forbidden-sysctls/example_disallowed.yaml | ||
| assertions: | ||
| - violations: yes | ||
| - name: example-allowed | ||
| object: samples/psp-forbidden-sysctls/example_allowed.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: update | ||
| object: samples/psp-forbidden-sysctls/update.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: forbidden-sysctls4-empty-allowedSysctls | ||
| template: template.yaml | ||
| constraint: samples/psp-forbidden-sysctls/constraint4.yaml | ||
| cases: | ||
| - name: example-disallowed | ||
| object: samples/psp-forbidden-sysctls/example_disallowed.yaml | ||
| assertions: | ||
| - violations: yes | ||
| - name: example-disallowed | ||
| object: samples/psp-forbidden-sysctls/example_allowed.yaml | ||
| assertions: | ||
| - violations: yes | ||
| - name: update | ||
| object: samples/psp-forbidden-sysctls/update.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: forbidden-sysctls5-unspecified-allowedSysctls | ||
| template: template.yaml | ||
| constraint: samples/psp-forbidden-sysctls/constraint5.yaml | ||
| cases: | ||
| - name: example-disallowed | ||
| object: samples/psp-forbidden-sysctls/example_disallowed.yaml | ||
| assertions: | ||
| - violations: yes | ||
| - name: example-allowed | ||
| object: samples/psp-forbidden-sysctls/example_allowed.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: update | ||
| object: samples/psp-forbidden-sysctls/update.yaml | ||
| assertions: | ||
| - violations: no |
Oops, something went wrong.