-
Notifications
You must be signed in to change notification settings - Fork 330
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: adding cel for psp-seccomp policy (#540)
* chore: adding cel for psp-seccomp policy Signed-off-by: Jaydip Gabani <[email protected]> * using anyObject variable Signed-off-by: Jaydip Gabani <[email protected]> * moving rego under engine Signed-off-by: Jaydip Gabani <[email protected]> * tracking SC to annotations, adding v2 for seccomp with option to not read from annotations Signed-off-by: Jaydip Gabani <[email protected]> * fixing bugs Signed-off-by: Jaydip Gabani <[email protected]> * fixing bugs Signed-off-by: Jaydip Gabani <[email protected]> * removing naming_translations and streamlining name mapping Signed-off-by: Jaydip Gabani <[email protected]> * adding seccompv2 in kustomize Signed-off-by: Jaydip Gabani <[email protected]> * fixing rego bugs Signed-off-by: Jaydip Gabani <[email protected]> * adding seccompv2 Signed-off-by: Jaydip Gabani <[email protected]> * fixing unused variables Signed-off-by: Jaydip Gabani <[email protected]> * adding new line Signed-off-by: Jaydip Gabani <[email protected]> * updating seccompv2 description Signed-off-by: Jaydip Gabani <[email protected]> * removing unused example Signed-off-by: Jaydip Gabani <[email protected]> * updating seccompv2 to remove string building for localhost profiles Signed-off-by: Jaydip Gabani <[email protected]> * updating rego variable name Signed-off-by: Jaydip Gabani <[email protected]> * adding examples for localhost profile Signed-off-by: Jaydip Gabani <[email protected]> * fixing CEL code Signed-off-by: Jaydip Gabani <[email protected]> * addressing nit, updating description for seccompv2 Signed-off-by: Jaydip Gabani <[email protected]> --------- Signed-off-by: Jaydip Gabani <[email protected]>
- Loading branch information
1 parent
fd2b020
commit af24955
Showing
53 changed files
with
3,653 additions
and
498 deletions.
There are no files selected for viewing
22 changes: 22 additions & 0 deletions
22
artifacthub/library/pod-security-policy/seccomp/1.1.0/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| version: 1.1.0 | ||
| name: k8spspseccomp | ||
| displayName: Seccomp | ||
| createdAt: "2024-06-03T13:44:11Z" | ||
| description: Controls the seccomp profile used by containers. Corresponds to the `seccomp.security.alpha.kubernetes.io/allowedProfileNames` annotation on a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp | ||
| digest: 483941dab0df9cb51189b131e309bf927928b69b46ed51986d2f51e30fe758af | ||
| license: Apache-2.0 | ||
| homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/seccomp | ||
| keywords: | ||
| - gatekeeper | ||
| - open-policy-agent | ||
| - policies | ||
| readme: |- | ||
| # Seccomp | ||
| Controls the seccomp profile used by containers. Corresponds to the `seccomp.security.alpha.kubernetes.io/allowedProfileNames` annotation on a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp | ||
| install: |- | ||
| ### Usage | ||
| ```shell | ||
| kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/seccomp/1.1.0/template.yaml | ||
| ``` | ||
| provider: | ||
| name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/pod-security-policy/seccomp/1.1.0/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| resources: | ||
| - template.yaml |
15 changes: 15 additions & 0 deletions
15
artifacthub/library/pod-security-policy/seccomp/1.1.0/samples/psp-seccomp/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
| kind: K8sPSPSeccomp | ||
| metadata: | ||
| name: psp-seccomp | ||
| spec: | ||
| match: | ||
| kinds: | ||
| - apiGroups: [""] | ||
| kinds: ["Pod"] | ||
| parameters: | ||
| exemptImages: | ||
| - nginx-exempt | ||
| allowedProfiles: | ||
| - runtime/default | ||
| - localhost/profile.json |
12 changes: 12 additions & 0 deletions
12
...b/library/pod-security-policy/seccomp/1.1.0/samples/psp-seccomp/disallowed_ephemeral.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-seccomp-disallowed | ||
| annotations: | ||
| container.seccomp.security.alpha.kubernetes.io/nginx: unconfined | ||
| labels: | ||
| app: nginx-seccomp | ||
| spec: | ||
| ephemeralContainers: | ||
| - name: nginx | ||
| image: nginx |
12 changes: 12 additions & 0 deletions
12
...acthub/library/pod-security-policy/seccomp/1.1.0/samples/psp-seccomp/example_allowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-seccomp-allowed | ||
| annotations: | ||
| container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default | ||
| labels: | ||
| app: nginx-seccomp | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx |
12 changes: 12 additions & 0 deletions
12
...cthub/library/pod-security-policy/seccomp/1.1.0/samples/psp-seccomp/example_allowed2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-seccomp-allowed2 | ||
| annotations: | ||
| seccomp.security.alpha.kubernetes.io/pod: runtime/default | ||
| labels: | ||
| app: nginx-seccomp | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx |
13 changes: 13 additions & 0 deletions
13
...y/pod-security-policy/seccomp/1.1.0/samples/psp-seccomp/example_allowed_exempt_image.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-seccomp-disallowed | ||
| labels: | ||
| app: nginx-seccomp | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx-exempt | ||
| securityContext: | ||
| seccompProfile: | ||
| type: Unconfined |
14 changes: 14 additions & 0 deletions
14
...rary/pod-security-policy/seccomp/1.1.0/samples/psp-seccomp/example_allowed_localhost.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-seccomp-allowed-localhost | ||
| labels: | ||
| app: nginx-seccomp | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx | ||
| securityContext: | ||
| seccompProfile: | ||
| type: Localhost | ||
| localhostProfile: profile.json |
12 changes: 12 additions & 0 deletions
12
...hub/library/pod-security-policy/seccomp/1.1.0/samples/psp-seccomp/example_disallowed.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-seccomp-disallowed | ||
| annotations: | ||
| container.seccomp.security.alpha.kubernetes.io/nginx: unconfined | ||
| labels: | ||
| app: nginx-seccomp | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx |
12 changes: 12 additions & 0 deletions
12
...ub/library/pod-security-policy/seccomp/1.1.0/samples/psp-seccomp/example_disallowed2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-seccomp-disallowed2 | ||
| annotations: | ||
| seccomp.security.alpha.kubernetes.io/pod: unconfined | ||
| labels: | ||
| app: nginx-seccomp | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx |
14 changes: 14 additions & 0 deletions
14
...y/pod-security-policy/seccomp/1.1.0/samples/psp-seccomp/example_disallowed_localhost.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx-seccomp-disallowed-localhost | ||
| labels: | ||
| app: nginx-seccomp | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx | ||
| securityContext: | ||
| seccompProfile: | ||
| type: Localhost | ||
| localhostProfile: profile.log |
45 changes: 45 additions & 0 deletions
45
artifacthub/library/pod-security-policy/seccomp/1.1.0/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| kind: Suite | ||
| apiVersion: test.gatekeeper.sh/v1alpha1 | ||
| metadata: | ||
| name: seccomp | ||
| tests: | ||
| - name: default-seccomp-required | ||
| template: template.yaml | ||
| constraint: samples/psp-seccomp/constraint.yaml | ||
| cases: | ||
| - name: example-disallowed-global | ||
| object: samples/psp-seccomp/example_disallowed2.yaml | ||
| assertions: | ||
| - violations: 1 | ||
| message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation seccomp.security.alpha.kubernetes.io/pod" | ||
| - name: example-disallowed-container | ||
| object: samples/psp-seccomp/example_disallowed.yaml | ||
| assertions: | ||
| - violations: 1 | ||
| message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation container.seccomp.security.alpha.kubernetes.io/nginx" | ||
| - name: example-allowed-container | ||
| object: samples/psp-seccomp/example_allowed.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: example-allowed-global | ||
| object: samples/psp-seccomp/example_allowed2.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: disallowed-ephemeral | ||
| object: samples/psp-seccomp/disallowed_ephemeral.yaml | ||
| assertions: | ||
| - violations: 1 | ||
| message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation container.seccomp.security.alpha.kubernetes.io/nginx" | ||
| - name: example-allowed-container-exempt-image | ||
| object: samples/psp-seccomp/example_allowed_exempt_image.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: example-allowed-container-localhost-profile | ||
| object: samples/psp-seccomp/example_allowed_localhost.yaml | ||
| assertions: | ||
| - violations: no | ||
| - name: example-disallowed-container-localhost-profile | ||
| object: samples/psp-seccomp/example_disallowed_localhost.yaml | ||
| assertions: | ||
| - violations: 1 | ||
| message: "Seccomp profile 'localhost/profile.log' is not allowed for container 'nginx'. Found at: container securityContext." |
Oops, something went wrong.