Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: adding cel for psp/volume and psp/selinux #530

Open
wants to merge 19 commits into
base: master
Choose a base branch
from
Open

chore: adding cel for psp/volume and psp/selinux #530

wants to merge 19 commits into from

Conversation

JaydipGabani
Copy link
Contributor

@JaydipGabani JaydipGabani commented May 22, 2024
edited
Loading

What this PR does / why we need it:

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #541

Special notes for your reviewer:

@JaydipGabani JaydipGabani requested a review from a team as a code owner May 22, 2024 21:17
@JaydipGabani
adding cel for psp/volume and pss/selinux
48fe8ce 
Signed-off-by: Jaydip Gabani <[email protected]>
@JaydipGabani
using anyObject
9e3281f 
Signed-off-by: Jaydip Gabani <[email protected]>
@JaydipGabani JaydipGabani assigned maxsmythe and unassigned maxsmythe May 29, 2024
@JaydipGabani JaydipGabani changed the title chore: adding cel for psp/volume and pss/selinux chore: adding cel for psp/volume and psp/selinux May 29, 2024
maxsmythe
maxsmythe reviewed May 31, 2024
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment on pod-level check

website/docs/validation/selinux.md Outdated Show resolved Hide resolved
website/docs/validation/selinux.md Outdated Show resolved Hide resolved
@JaydipGabani
fixing psp-selinux
8de4763 
Signed-off-by: Jaydip Gabani <[email protected]>
@JaydipGabani JaydipGabani requested a review from maxsmythe June 3, 2024 22:33
sozercan
sozercan approved these changes Sep 4, 2024
View reviewed changes
Copy link
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! LGTM

@stale Stale
Copy link

stale bot commented Dec 3, 2024

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 3, 2024
@sathieu sathieu mentioned this pull request Dec 13, 2024
Open
maxsmythe
maxsmythe requested changes Jan 15, 2025
View reviewed changes
artifacthub/library/pod-security-policy/selinux/1.1.0/template.yaml
variables:
- name: usingAllowedSELinuxOptions
expression: |
has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seLinuxOptions) ?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test looks wrong. Shouldn't we be assuming an option is disallowed unless specifically allowed by parameters?

As-written, it looks like undefined parameters => allow everything, which would seem to drift from the rego.

Adding gator tests for this would validate the drift.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! I fixed it, it should be in parity with rego now.

@JaydipGabani
Copy link
Contributor Author

@sozercan @maxsmythe @ritazh as of now the rego written for policy will deny a pod when disallowed seLinuxOptions are defined at pod level but the container is exempt. Is that intended behavior?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxsmythe maxsmythe maxsmythe requested changes

@mounicarajput mounicarajput mounicarajput approved these changes

@sozercan sozercan sozercan approved these changes

@ritazh ritazh Awaiting requested review from ritazh

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add CEL code for PSP Policies in library
4 participants
@JaydipGabani @sozercan @maxsmythe @mounicarajput