Add k8sallowedreposv2 Policy with Exact Match & Glob Support (#616)

* Add allowedreposv2 policy and update documentation

Signed-off-by: yakirk <[email protected]>

* Add allowedreposv2 policy and update documentation

Signed-off-by: yakirk <[email protected]>

* Update allowedrepos version to 1.0.2

Signed-off-by: Yakir Kadkoda <[email protected]>

* Update constraint.tmpl

Update allowedrepos version to 1.0.2

Signed-off-by: yakirk <[email protected]>

* fix: Correct pod name in example_allowed_images

Signed-off-by: Yakir Kadkoda <[email protected]>

* Fix: Update and Correct suite.yaml Configuration

Signed-off-by: Yakir Kadkoda <[email protected]>

* Fix: Update and Correct samples and suite.yaml

Signed-off-by: Yakir Kadkoda <[email protected]>

* Fix: Update and Correct samples and suite.yaml

Signed-off-by: Yakir Kadkoda <[email protected]>

---------

Signed-off-by: yakirk <[email protected]>
Signed-off-by: Yakir Kadkoda <[email protected]>

artifacthub/library/general/allowedrepos/1.0.1/artifacthub-pkg.yml

@@ -3,7 +3,7 @@ name: k8sallowedrepos
 displayName: Allowed Repositories
 createdAt: "2023-10-30T20:59:57Z"
 description: Requires container images to begin with a string from the specified list.
-digest: eaff16a982c2d3029b280b3d4061d82b55215ac648efaafa341e25c7c77b635f
+digest: 1ee1bb4b4fb6128bdcd6bd84c81d1d1e02b4b9c0f9bd3eb85f9fd30e82742dd1
 license: Apache-2.0
 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allowedrepos
 keywords:

artifacthub/library/general/allowedrepos/1.0.1/template.yaml

@@ -7,6 +7,8 @@ metadata:
     metadata.gatekeeper.sh/version: 1.0.1
     description: >-
       Requires container images to begin with a string from the specified list.
+      To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries.
+      If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy.
 spec:
   crd:
     spec:

artifacthub/library/general/allowedrepos/1.0.2/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.0.2
+name: k8sallowedrepos
+displayName: Allowed Repositories
+createdAt: "2025-01-15T08:49:50Z"
+description: Requires container images to begin with a string from the specified list. To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries. If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy.
+digest: 626c7434f3b5f7593345580268fc8f6c68688b6c67efd6fe1eac7503bd166c9e
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allowedrepos
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Allowed Repositories
+    Requires container images to begin with a string from the specified list. To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries. If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/allowedrepos/1.0.2/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/general/allowedrepos/1.0.2/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/general/allowedrepos/1.0.2/samples/repo-must-be-openpolicyagent/constraint.yaml

@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sAllowedRepos
+metadata:
+  name: repo-is-openpolicyagent
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    namespaces:
+      - "default"
+  parameters:
+    repos:
+      - "openpolicyagent/"

artifacthub/library/general/allowedrepos/1.0.2/samples/repo-must-be-openpolicyagent/disallowed_all.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  initContainers:
+  - name: nginx
+    image: nginx
+    resources:
+      limits:
+        cpu: "100m"
+        memory: "30Mi"
+  containers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"
+  ephemeralContainers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedrepos/1.0.2/samples/repo-must-be-openpolicyagent/example_allowed.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-allowed
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedrepos/1.0.2/samples/repo-must-be-openpolicyagent/example_disallowed_both.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  initContainers:
+  - name: nginxinit
+    image: nginx
+    resources:
+      limits:
+        cpu: "100m"
+        memory: "30Mi"
+  containers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedrepos/1.0.2/samples/repo-must-be-openpolicyagent/example_disallowed_container.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedrepos/1.0.2/samples/repo-must-be-openpolicyagent/example_disallowed_initcontainer.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  initContainers:
+    - name: nginxinit
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedrepos/1.0.2/suite.yaml

@@ -0,0 +1,43 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: allowedrepos
+tests:
+- name: allowed-repos
+  template: template.yaml
+  constraint: samples/repo-must-be-openpolicyagent/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/repo-must-be-openpolicyagent/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: container-disallowed
+    object: samples/repo-must-be-openpolicyagent/example_disallowed_container.yaml
+    assertions:
+    - violations: yes
+      message: container
+  - name: initcontainer-disallowed
+    object: samples/repo-must-be-openpolicyagent/example_disallowed_initcontainer.yaml
+    assertions:
+    - violations: 1
+      message: initContainer
+    - violations: 0
+      message: container
+  - name: both-disallowed
+    object: samples/repo-must-be-openpolicyagent/example_disallowed_both.yaml
+    assertions:
+    - violations: 2
+    - message: initContainer
+      violations: 1
+    - message: container
+      violations: 1
+  - name: all-disallowed
+    object: samples/repo-must-be-openpolicyagent/disallowed_all.yaml
+    assertions:
+    - violations: 3
+    - message: initContainer
+      violations: 1
+    - message: container
+      violations: 1
+    - message: ephemeralContainer
+      violations: 1

artifacthub/library/general/allowedrepos/1.0.2/template.yaml

@@ -0,0 +1,48 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sallowedrepos
+  annotations:
+    metadata.gatekeeper.sh/title: "Allowed Repositories"
+    metadata.gatekeeper.sh/version: 1.0.2
+    description: >-
+      Requires container images to begin with a string from the specified list.
+      To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries.
+      If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAllowedRepos
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            repos:
+              description: The list of prefixes a container image is allowed to have.
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sallowedrepos
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          not strings.any_prefix_match(container.image, input.parameters.repos)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          not strings.any_prefix_match(container.image, input.parameters.repos)
+          msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.ephemeralContainers[_]
+          not strings.any_prefix_match(container.image, input.parameters.repos)
+          msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }

artifacthub/library/general/allowedreposv2/1.0.0/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.0.0
+name: k8sallowedreposv2
+displayName: Allowed Images
+createdAt: "2024-12-17T13:21:26Z"
+description: 'This policy enforces that container images must begin with a string from a specified list. The updated version, K8sAllowedReposv2, introduces support for exact match and glob-like syntax to enhance security: 1. Exact Match: By default, if the * character is not specified, the policy strictly checks for an exact match of the full registry, repository, and/or the image name. 2. Glob-like Syntax: Adding * at the end of a prefix allows prefix-based matching (e.g., registry.example.com/project/*). Only the * wildcard at the end of a string is supported. 3. Security Note: To avoid bypasses scenarios, ensure prefixes include a trailing / where appropriate (e.g., registry.example.com/project/*).'
+digest: f0cc8c9d1d326a9a23ae7a5c6e8a9c0b909e9fd1fab95fb5822519514e07a717
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/allowedreposv2
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Allowed Images
+    This policy enforces that container images must begin with a string from a specified list. The updated version, K8sAllowedReposv2, introduces support for exact match and glob-like syntax to enhance security: 1. Exact Match: By default, if the * character is not specified, the policy strictly checks for an exact match of the full registry, repository, and/or the image name. 2. Glob-like Syntax: Adding * at the end of a prefix allows prefix-based matching (e.g., registry.example.com/project/*). Only the * wildcard at the end of a string is supported. 3. Security Note: To avoid bypasses scenarios, ensure prefixes include a trailing / where appropriate (e.g., registry.example.com/project/*).
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/allowedreposv2/1.0.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/general/allowedreposv2/1.0.0/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/general/allowedreposv2/1.0.0/samples/repo-must-be-openpolicyagent/constraint.yaml

@@ -0,0 +1,18 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sAllowedReposv2
+metadata:
+  name: repo-is-openpolicyagent
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    namespaces:
+      - "default"
+  parameters:
+    allowedImages:
+      - "openpolicyagent/*"
+      - "myregistry.azurecr.io/*"
+      - "mydockerhub/*"
+      - "ubuntu:20.14"
+      - "123456789123.dkr.ecr.eu-west-1.amazonaws.com/postgres"

artifacthub/library/general/allowedreposv2/1.0.0/samples/repo-must-be-openpolicyagent/disallowed_all.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  initContainers:
+  - name: nginx
+    image: nginx
+    resources:
+      limits:
+        cpu: "100m"
+        memory: "30Mi"
+  containers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"
+  ephemeralContainers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedreposv2/1.0.0/samples/repo-must-be-openpolicyagent/example_allowed.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-allowed
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedreposv2/1.0.0/samples/repo-must-be-openpolicyagent/example_allowed_images.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-allowed
+spec:
+  containers:
+    - name: image
+      image: ubuntu:20.14
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedreposv2/1.0.0/samples/repo-must-be-openpolicyagent/example_disallowed_both.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  initContainers:
+  - name: nginxinit
+    image: nginx
+    resources:
+      limits:
+        cpu: "100m"
+        memory: "30Mi"
+  containers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/general/allowedreposv2/1.0.0/samples/repo-must-be-openpolicyagent/example_disallowed_container.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"