From cfcef15c7e4aee17e65958dfefe85272b1914c2b Mon Sep 17 00:00:00 2001
From: Brandon Booker <bbooker@vt.edu>
Date: Tue, 28 Jan 2025 18:58:36 +0000
Subject: [PATCH] PLATFORM-2982 - remove pss policies
---
Chart.yaml | 2 +-
README.md | 1 -
rego/pss_apparmor/policy.rego | 111 ---
rego/pss_apparmor/policy_test.rego | 374 ----------
rego/pss_host_namespaces/policy.rego | 139 ----
rego/pss_host_namespaces/policy_test.rego | 421 -----------
rego/pss_hostpath_volumes/policy.rego | 109 ---
rego/pss_hostpath_volumes/policy_test.rego | 239 -------
rego/pss_hostports/policy.rego | 108 ---
rego/pss_hostports/policy_test.rego | 345 ---------
rego/pss_pod_capabilities/policy.rego | 111 ---
rego/pss_pod_capabilities/policy_test.rego | 585 ---------------
rego/pss_privileged_pods/policy.rego | 106 ---
rego/pss_privileged_pods/policy_test.rego | 224 ------
rego/pss_procmounts/policy.rego | 108 ---
rego/pss_procmounts/policy_test.rego | 454 ------------
rego/pss_seccomp/policy.rego | 121 ----
rego/pss_seccomp/policy_test.rego | 671 ------------------
rego/pss_selinux/policy.rego | 142 ----
rego/pss_selinux/policy_test.rego | 663 -----------------
rego/pss_sysctl_options/policy.rego | 109 ---
rego/pss_sysctl_options/policy_test.rego | 268 -------
.../constraint_template_pss_apparmor.yaml | 13 -
...onstraint_template_pss_host_namespace.yaml | 13 -
...nstraint_template_pss_hostpath_volume.yaml | 13 -
.../constraint_template_pss_hostport.yaml | 13 -
...straint_template_pss_pod_capabilities.yaml | 13 -
.../constraint_template_pss_privileged.yaml | 13 -
.../constraint_template_pss_procmount.yaml | 13 -
.../constraint_template_pss_seccomp.yaml | 13 -
.../constraint_template_pss_selinux.yaml | 13 -
...onstraint_template_pss_sysctl_options.yaml | 13 -
32 files changed, 1 insertion(+), 5540 deletions(-)
delete mode 100644 rego/pss_apparmor/policy.rego
delete mode 100644 rego/pss_apparmor/policy_test.rego
delete mode 100644 rego/pss_host_namespaces/policy.rego
delete mode 100644 rego/pss_host_namespaces/policy_test.rego
delete mode 100644 rego/pss_hostpath_volumes/policy.rego
delete mode 100644 rego/pss_hostpath_volumes/policy_test.rego
delete mode 100644 rego/pss_hostports/policy.rego
delete mode 100644 rego/pss_hostports/policy_test.rego
delete mode 100644 rego/pss_pod_capabilities/policy.rego
delete mode 100644 rego/pss_pod_capabilities/policy_test.rego
delete mode 100644 rego/pss_privileged_pods/policy.rego
delete mode 100644 rego/pss_privileged_pods/policy_test.rego
delete mode 100644 rego/pss_procmounts/policy.rego
delete mode 100644 rego/pss_procmounts/policy_test.rego
delete mode 100644 rego/pss_seccomp/policy.rego
delete mode 100644 rego/pss_seccomp/policy_test.rego
delete mode 100644 rego/pss_selinux/policy.rego
delete mode 100644 rego/pss_selinux/policy_test.rego
delete mode 100644 rego/pss_sysctl_options/policy.rego
delete mode 100644 rego/pss_sysctl_options/policy_test.rego
delete mode 100644 templates/constraint_template_pss_apparmor.yaml
delete mode 100644 templates/constraint_template_pss_host_namespace.yaml
delete mode 100644 templates/constraint_template_pss_hostpath_volume.yaml
delete mode 100644 templates/constraint_template_pss_hostport.yaml
delete mode 100644 templates/constraint_template_pss_pod_capabilities.yaml
delete mode 100644 templates/constraint_template_pss_privileged.yaml
delete mode 100644 templates/constraint_template_pss_procmount.yaml
delete mode 100644 templates/constraint_template_pss_seccomp.yaml
delete mode 100644 templates/constraint_template_pss_selinux.yaml
delete mode 100644 templates/constraint_template_pss_sysctl_options.yaml
diff --git a/Chart.yaml b/Chart.yaml
index cc6a546..b33aff3 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,4 +1,4 @@
apiVersion: v2
name: constraint-templates
-version: 1.7.2
+version: 2.0.0
appVersion: 1.0.0
diff --git a/README.md b/README.md
index ffb37cb..496893f 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,6 @@ The following policies are defined within this chart:
- `BlockNodePort` - prevents NodePort Services from being defined
- `ContainerResourceQuotas` - requires CPU/memory definitions for resource requests and limits
- `FluxTenant` - ensures the `serviceAccountName` and `targetNamespace` fields are specified and that the `targetNamespace` matches the namespace on Kustomization and HelmRelease objects, preventing namespace escapes
-- `Pss*` - each policy implements one of the policies listed in the [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
## Development
diff --git a/rego/pss_apparmor/policy.rego b/rego/pss_apparmor/policy.rego
deleted file mode 100644
index 9d40672..0000000
--- a/rego/pss_apparmor/policy.rego
+++ /dev/null
@@ -1,111 +0,0 @@
-package pss_apparmor
-
-apparmor_keys[containerName] = key {
- containerName := containers[_].name
- key := sprintf("%s/%s", ["container.apparmor.security.beta.kubernetes.io", containerName])
-}
-
-custom_apparmor_containers[containerName] {
- key := apparmor_keys[containerName]
- annotation := annotations[_]
- val = annotation[key]
- val != "runtime/default"
- not startswith(val, "localhost/")
-}
-
-violation[msg] {
- failedContainer := custom_apparmor_containers[_]
-
- msg := format(sprintf("Container '%s' of %s '%s' should specify an AppArmor profile", [failedContainer, kind, name]))
-}
-
-################### LIBRARY ###################
-
-default is_gatekeeper = true
-
-object = input.review.object {
- is_gatekeeper
-}
-
-format(msg) = gatekeeper_format {
- is_gatekeeper
- gatekeeper_format = {"msg": msg}
-}
-
-name = object.metadata.name
-
-kind = object.kind
-
-is_pod {
- kind = "Pod"
-}
-
-is_cronjob {
- kind = "CronJob"
-}
-
-default is_controller = false
-
-is_controller {
- kind = "Deployment"
-}
-
-is_controller {
- kind = "StatefulSet"
-}
-
-is_controller {
- kind = "DaemonSet"
-}
-
-is_controller {
- kind = "ReplicaSet"
-}
-
-is_controller {
- kind = "ReplicationController"
-}
-
-is_controller {
- kind = "Job"
-}
-
-pod_containers(pod) = all_containers {
- keys = {"containers", "initContainers"}
- all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
- pods[pod]
- all_containers = pod_containers(pod)
- container = all_containers[_]
-}
-
-containers[container] {
- all_containers = pod_containers(object)
- container = all_containers[_]
-}
-
-annotations[annotation] {
- pods[pod]
- annotation = pod.metadata.annotations
-}
-
-pods[pod] {
- is_pod
- pod = object
-}
-
-pods[pod] {
- is_controller
- pod = object.spec.template
-}
-
-pods[pod] {
- is_cronjob
- pod = object.spec.jobTemplate.spec.template
-}
-
-has_field(obj, field) {
- obj[field]
-}
diff --git a/rego/pss_apparmor/policy_test.rego b/rego/pss_apparmor/policy_test.rego
deleted file mode 100644
index e199012..0000000
--- a/rego/pss_apparmor/policy_test.rego
+++ /dev/null
@@ -1,374 +0,0 @@
-package pss_apparmor
-
-################Helpers##############################
-
-review_pod(annotations) = out {
- out = {
- "object": {
- "kind": "Pod",
- "apiVersion": "v1",
- "metadata": {
- "name": "my-pod",
- "annotations": annotations,
- },
- "spec": {
- "containers": [ {"name" : "hello"}, ],
- },
- }
- }
-}
-
-review_deployment(annotations) = out {
- out = {
- "object": {
- "kind": "Deployment",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-deployment",
- },
- "spec": {
- "template": {
- "metadata": {
- "annotations": annotations,
- },
- "spec": {
- "containers": [ {"name" : "hello"}, ],
- },
- }
- }
- }
- }
-}
-
-review_daemonset(annotations) = out {
- out = {
- "object": {
- "kind": "DaemonSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-daemonset",
- },
- "spec": {
- "template": {
- "metadata": {
- "annotations": annotations,
- },
- "spec": {
- "containers": [ {"name" : "hello"}, ],
- },
- }
- }
- }
- }
-}
-
-review_replicaset(annotations) = out {
- out = {
- "object": {
- "kind": "ReplicaSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-replicaset",
- },
- "spec": {
- "template": {
- "metadata": {
- "annotations": annotations,
- },
- "spec": {
- "containers": [ {"name" : "hello"}, ],
- },
- }
- }
- }
- }
-}
-
-review_statefulset(annotations) = out {
- out = {
- "object": {
- "kind": "StatefulSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-statefulset",
- },
- "spec": {
- "template": {
- "metadata": {
- "annotations": annotations,
- },
- "spec": {
- "containers": [ {"name" : "hello"}, ],
- },
- }
- }
- }
- }
-}
-
-review_job(annotations) = out {
- out = {
- "object": {
- "kind": "Job",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-job",
- },
- "spec": {
- "template": {
- "metadata": {
- "annotations": annotations,
- },
- "spec": {
- "containers": [ {"name" : "hello"}, ],
- },
- }
- }
- }
- }
-}
-
-review_cronjob(annotations) = out {
- out = {
- "object": {
- "kind": "CronJob",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-cronjob",
- },
- "spec": {
- "jobTemplate": {
- "spec" : {
- "template": {
- "metadata": {
- "annotations": annotations,
- },
- "spec": {
- "containers": [ {"name" : "hello"}, ],
- },
- }
- }
- }
- }
- }
- }
-}
-
-input_obj(review) = out {
- out = {
- "parameters": {},
- "review": review
- }
-}
-
-################Container Tests######################
-
-test_not_allowed_apparmor_profile_container_on_pod {
- input := input_obj(review_pod({"container.apparmor.security.beta.kubernetes.io/hello":"custom"}))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod {
- input := input_obj(review_pod({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_localhost_apparmor_profile_container_on_pod {
- input := input_obj(review_pod({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_container_on_pod {
- input := input_obj(review_pod({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_nill_container_on_pod {
- input := input_obj(review_pod(null))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_apparmor_profile_container_on_deployment {
- input := input_obj(review_deployment({"container.apparmor.security.beta.kubernetes.io/hello":"custom"}))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod {
- input := input_obj(review_deployment({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_localhost_apparmor_profile_container_on_pod {
- input := input_obj(review_deployment({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_container_on_deployment {
- input := input_obj(review_deployment({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_nill_container_on_deployment {
- input := input_obj(review_deployment(null))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_apparmor_profile_container_on_daemonset {
- input := input_obj(review_daemonset({"container.apparmor.security.beta.kubernetes.io/hello":"custom"}))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod {
- input := input_obj(review_daemonset({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_localhost_apparmor_profile_container_on_pod {
- input := input_obj(review_daemonset({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_container_on_daemonset {
- input := input_obj(review_daemonset({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_nill_container_on_daemonset {
- input := input_obj(review_daemonset(null))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_apparmor_profile_container_on_replicaset {
- input := input_obj(review_replicaset({"container.apparmor.security.beta.kubernetes.io/hello":"custom"}))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod {
- input := input_obj(review_replicaset({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_localhost_apparmor_profile_container_on_pod {
- input := input_obj(review_replicaset({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_container_on_replicaset {
- input := input_obj(review_replicaset({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_nill_container_on_replicaset {
- input := input_obj(review_replicaset(null))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_apparmor_profile_container_on_statefulset {
- input := input_obj(review_statefulset({"container.apparmor.security.beta.kubernetes.io/hello":"custom"}))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod {
- input := input_obj(review_statefulset({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_localhost_apparmor_profile_container_on_pod {
- input := input_obj(review_statefulset({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_container_on_statefulset {
- input := input_obj(review_statefulset({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_nill_container_on_statefulset {
- input := input_obj(review_statefulset(null))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_apparmor_profile_container_on_job {
- input := input_obj(review_job({"container.apparmor.security.beta.kubernetes.io/hello":"custom"}))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod {
- input := input_obj(review_job({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_localhost_apparmor_profile_container_on_pod {
- input := input_obj(review_job({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_container_on_job {
- input := input_obj(review_job({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_nill_container_on_job {
- input := input_obj(review_job(null))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_apparmor_profile_container_on_cronjob {
- input := input_obj(review_cronjob({"container.apparmor.security.beta.kubernetes.io/hello":"custom"}))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod {
- input := input_obj(review_cronjob({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_localhost_apparmor_profile_container_on_pod {
- input := input_obj(review_cronjob({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_container_on_cronjob {
- input := input_obj(review_cronjob({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"}))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_apparmor_profile_nill_container_on_cronjob {
- input := input_obj(review_cronjob(null))
- results := violation with input as input
- count(results) == 0
-}
\ No newline at end of file
diff --git a/rego/pss_host_namespaces/policy.rego b/rego/pss_host_namespaces/policy.rego
deleted file mode 100644
index 2d6854f..0000000
--- a/rego/pss_host_namespaces/policy.rego
+++ /dev/null
@@ -1,139 +0,0 @@
-package pss_hostnamespaces
-
-
-violation[msg] {
- failHostNetwork
-
- msg := format(sprintf("%s '%s' should not set 'spec.template.spec.hostNetwork' to true", [kind, name]))
-}
-
-violation[msg] {
- failHostIPC
-
- msg := format(sprintf("%s '%s' should not set 'spec.template.spec.hostIPC' to true", [kind, name]))
-}
-
-violation[msg] {
- failHostPID
-
- msg := format(sprintf("%s '%s' should not set 'spec.template.spec.hostPID' to true", [kind, name]))
-}
-
-# failHostNetwork is true if spec.hostNetwork is set to true (on all controllers)
-failHostNetwork {
- host_networks[_] == true
-}
-
-# failHostIPC is true if spec.hostIPC is set to true (on all resources)
-failHostIPC {
- host_ipcs[_] == true
-}
-
-# failHostPID is true if spec.hostPID is set to true (on all controllers)
-failHostPID {
- host_pids[_] == true
-}
-
-
-
-################### LIBRARY ###################
-
-
-default is_gatekeeper = true
-
-object = input.review.object {
- is_gatekeeper
-}
-
-format(msg) = gatekeeper_format {
- is_gatekeeper
- gatekeeper_format = {"msg": msg}
-}
-
-name = object.metadata.name
-
-kind = object.kind
-
-is_pod {
- kind = "Pod"
-}
-
-is_cronjob {
- kind = "CronJob"
-}
-
-default is_controller = false
-
-is_controller {
- kind = "Deployment"
-}
-
-is_controller {
- kind = "StatefulSet"
-}
-
-is_controller {
- kind = "DaemonSet"
-}
-
-is_controller {
- kind = "ReplicaSet"
-}
-
-is_controller {
- kind = "ReplicationController"
-}
-
-is_controller {
- kind = "Job"
-}
-
-pod_containers(pod) = all_containers {
- keys = {"containers", "initContainers"}
- all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
- pods[pod]
- all_containers = pod_containers(pod)
- container = all_containers[_]
-}
-
-containers[container] {
- all_containers = pod_containers(object)
- container = all_containers[_]
-}
-
-pods[pod] {
- is_pod
- pod = object
-}
-
-pods[pod] {
- is_controller
- pod = object.spec.template
-}
-
-pods[pod] {
- is_cronjob
- pod = object.spec.jobTemplate.spec.template
-}
-
-has_field(obj, field) {
- obj[field]
-}
-
-host_networks[host_network] {
- pods[pod]
- host_network = pod.spec.hostNetwork
-}
-
-host_ipcs[host_ipc] {
- pods[pod]
- host_ipc = pod.spec.hostIPC
-}
-
-host_pids[host_pid] {
- pods[pod]
- host_pid = pod.spec.hostPID
-}
diff --git a/rego/pss_host_namespaces/policy_test.rego b/rego/pss_host_namespaces/policy_test.rego
deleted file mode 100644
index 3b89e8c..0000000
--- a/rego/pss_host_namespaces/policy_test.rego
+++ /dev/null
@@ -1,421 +0,0 @@
-package pss_hostnamespaces
-
-test_host_network_on_pod {
- pod_spec := {"spec":{"hostNetwork":true}}
- input := input_obj(pod_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_network_on_pod {
- pod_spec := {"spec":{"hostNetwork":false}}
- input := input_obj(pod_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_ipc_on_pod {
- pod_spec := {"spec":{"hostIPC":true}}
- input := input_obj(pod_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_ipc_on_pod {
- pod_spec := {"spec":{"hostIPC":false}}
- input := input_obj(pod_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_pid_on_pod {
- pod_spec := {"spec":{"hostPID":true}}
- input := input_obj(pod_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_pid_on_pod {
- pod_spec := {"spec":{"hostPID":false}}
- input := input_obj(pod_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_network_on_deployment {
- pod_spec := {"spec":{"hostNetwork":true}}
- input := input_obj(deployment_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_network_on_deployment {
- pod_spec := {"spec":{"hostNetwork":false}}
- input := input_obj(deployment_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_ipc_on_deployment {
- pod_spec := {"spec":{"hostIPC":true}}
- input := input_obj(deployment_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_ipc_on_deployment {
- pod_spec := {"spec":{"hostIPC":false}}
- input := input_obj(deployment_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_pid_on_deployment {
- pod_spec := {"spec":{"hostPID":true}}
- input := input_obj(deployment_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_pid_on_deployment {
- pod_spec := {"spec":{"hostPID":false}}
- input := input_obj(deployment_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_network_on_daemonset {
- pod_spec := {"spec":{"hostNetwork":true}}
- input := input_obj(daemonset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_network_on_daemonset {
- pod_spec := {"spec":{"hostNetwork":false}}
- input := input_obj(daemonset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_ipc_on_daemonset {
- pod_spec := {"spec":{"hostIPC":true}}
- input := input_obj(daemonset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_ipc_on_daemonset {
- pod_spec := {"spec":{"hostIPC":false}}
- input := input_obj(daemonset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_pid_on_daemonset {
- pod_spec := {"spec":{"hostPID":true}}
- input := input_obj(daemonset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_pid_on_daemonset {
- pod_spec := {"spec":{"hostPID":false}}
- input := input_obj(daemonset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_network_on_replicaset {
- pod_spec := {"spec":{"hostNetwork":true}}
- input := input_obj(replicaset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_network_on_replicaset {
- pod_spec := {"spec":{"hostNetwork":false}}
- input := input_obj(replicaset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_ipc_on_replicaset {
- pod_spec := {"spec":{"hostIPC":true}}
- input := input_obj(replicaset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_ipc_on_replicaset {
- pod_spec := {"spec":{"hostIPC":false}}
- input := input_obj(replicaset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_pid_on_replicaset {
- pod_spec := {"spec":{"hostPID":true}}
- input := input_obj(replicaset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_pid_on_replicaset {
- pod_spec := {"spec":{"hostPID":false}}
- input := input_obj(replicaset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_network_on_statefulset {
- pod_spec := {"spec":{"hostNetwork":true}}
- input := input_obj(statefulset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_network_on_statefulset {
- pod_spec := {"spec":{"hostNetwork":false}}
- input := input_obj(statefulset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_ipc_on_statefulset {
- pod_spec := {"spec":{"hostIPC":true}}
- input := input_obj(statefulset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_ipc_on_statefulset {
- pod_spec := {"spec":{"hostIPC":false}}
- input := input_obj(statefulset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_pid_on_statefulset {
- pod_spec := {"spec":{"hostPID":true}}
- input := input_obj(statefulset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_pid_on_statefulset {
- pod_spec := {"spec":{"hostPID":false}}
- input := input_obj(statefulset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_network_on_job {
- pod_spec := {"spec":{"hostNetwork":true}}
- input := input_obj(job_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_network_on_job {
- pod_spec := {"spec":{"hostNetwork":false}}
- input := input_obj(job_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_ipc_on_job {
- pod_spec := {"spec":{"hostIPC":true}}
- input := input_obj(job_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_ipc_on_job {
- pod_spec := {"spec":{"hostIPC":false}}
- input := input_obj(job_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_pid_on_job {
- pod_spec := {"spec":{"hostPID":true}}
- input := input_obj(job_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_pid_on_job {
- pod_spec := {"spec":{"hostPID":false}}
- input := input_obj(job_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_network_on_cronjob {
- pod_spec := {"spec":{"hostNetwork":true}}
- input := input_obj(cronjob_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_network_on_cronjob {
- pod_spec := {"spec":{"hostNetwork":false}}
- input := input_obj(cronjob_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_ipc_on_cronjob {
- pod_spec := {"spec":{"hostIPC":true}}
- input := input_obj(cronjob_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_ipc_on_cronjob {
- pod_spec := {"spec":{"hostIPC":false}}
- input := input_obj(cronjob_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_host_pid_on_cronjob {
- pod_spec := {"spec":{"hostPID":true}}
- input := input_obj(cronjob_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_host_pid_on_cronjob {
- pod_spec := {"spec":{"hostPID":false}}
- input := input_obj(cronjob_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-pod_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "Pod",
- "apiVersion": "v1",
- "metadata": {
- "name": "my-pod",
- },
- "spec": pod_spec.spec
- }
- }
-}
-
-deployment_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "Deployment",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-deployment",
- },
- "spec": {
- "template": {
- "spec": pod_spec.spec
- }
- }
- }
- }
-}
-
-daemonset_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "DaemonSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-daemonset",
- },
- "spec": {
- "template": {
- "spec": pod_spec.spec
- }
- }
- }
- }
-}
-
-replicaset_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "ReplicaSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-replicaset",
- },
- "spec": {
- "template": {
- "spec": pod_spec.spec
- }
- }
- }
- }
-}
-
-statefulset_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "StatefulSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-statefulset",
- },
- "spec": {
- "template": {
- "spec": pod_spec.spec
- }
- }
- }
- }
-}
-
-job_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "Job",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-job",
- },
- "spec": {
- "template": {
- "spec": pod_spec.spec
- }
- }
- }
- }
-}
-
-cronjob_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "CronJob",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-cronjob",
- },
- "spec": {
- "jobTemplate": {
- "spec" : {
- "template": {
- "spec": pod_spec.spec
- }
- }
- }
- }
- }
- }
-}
-
-input_obj(review) = out {
- out = {
- "parameters": {},
- "review": review
- }
-}
diff --git a/rego/pss_hostpath_volumes/policy.rego b/rego/pss_hostpath_volumes/policy.rego
deleted file mode 100644
index 75e9ec2..0000000
--- a/rego/pss_hostpath_volumes/policy.rego
+++ /dev/null
@@ -1,109 +0,0 @@
-package pss_hostpathvolumes
-
-
-violation[msg] {
- failHostPathVolume
-
- msg := format(sprintf("%s '%s' should not set 'spec.template.volumes.hostPath'", [kind, name]))
-}
-
-failHostPathVolume {
- allVolumes := volumes
- has_key(allVolumes[_], "hostPath")
-}
-
-
-################### LIBRARY ###################
-
-default is_gatekeeper = true
-
-object = input.review.object {
- is_gatekeeper
-}
-
-format(msg) = gatekeeper_format {
- is_gatekeeper
- gatekeeper_format = {"msg": msg}
-}
-
-name = object.metadata.name
-
-kind = object.kind
-
-is_pod {
- kind = "Pod"
-}
-
-is_cronjob {
- kind = "CronJob"
-}
-
-default is_controller = false
-
-is_controller {
- kind = "Deployment"
-}
-
-is_controller {
- kind = "StatefulSet"
-}
-
-is_controller {
- kind = "DaemonSet"
-}
-
-is_controller {
- kind = "ReplicaSet"
-}
-
-is_controller {
- kind = "ReplicationController"
-}
-
-is_controller {
- kind = "Job"
-}
-
-pod_containers(pod) = all_containers {
- keys = {"containers", "initContainers", "ephemeralContainers"}
- all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
- pods[pod]
- all_containers = pod_containers(pod)
- container = all_containers[_]
-}
-
-containers[container] {
- all_containers = pod_containers(object)
- container = all_containers[_]
-}
-
-pods[pod] {
- is_pod
- pod = object
-}
-
-pods[pod] {
- is_controller
- pod = object.spec.template
-}
-
-pods[pod] {
- is_cronjob
- pod = object.spec.jobTemplate.spec.template
-}
-
-volumes[volume] {
- pods[pod]
- volume = pod.spec.volumes[_]
-}
-
-has_field(obj, field) {
- obj[field]
-}
-
-has_key(x, k) {
- _ = x[k]
-}
diff --git a/rego/pss_hostpath_volumes/policy_test.rego b/rego/pss_hostpath_volumes/policy_test.rego
deleted file mode 100644
index b3e47b4..0000000
--- a/rego/pss_hostpath_volumes/policy_test.rego
+++ /dev/null
@@ -1,239 +0,0 @@
-package pss_hostpathvolumes
-
-test_hostpath_on_pod {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]}
- input := input_obj(pod_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_hostpath_on_pod {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":"{}"}]}
- input := input_obj(pod_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_hostpath_on_deployment {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]}
- input := input_obj(deployment_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_hostpath_on_deployment {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]}
- input := input_obj(deployment_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_hostpath_on_daemonset {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]}
- input := input_obj(daemonset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_hostpath_on_daemonset {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]}
- input := input_obj(daemonset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_hostpath_on_replicaset {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]}
- input := input_obj(replicaset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_hostpath_on_replicaset {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]}
- input := input_obj(replicaset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_hostpath_on_statefulset {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]}
- input := input_obj(statefulset_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_hostpath_on_statefulset {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]}
- input := input_obj(statefulset_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_hostpath_on_job {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]}
- input := input_obj(job_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_hostpath_on_job {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]}
- input := input_obj(job_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-test_hostpath_on_cronjob {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]}
- input := input_obj(cronjob_definition(pod_spec))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_hostpath_on_cronjob {
- pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]}
- input := input_obj(cronjob_definition(pod_spec))
- results := violation with input as input
- count(results) == 0
-}
-
-pod_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "Pod",
- "apiVersion": "v1",
- "metadata": {
- "name": "my-pod",
- },
- "spec": {
- "volumes": pod_spec.volumes
- }
- }
- }
-}
-
-deployment_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "Deployment",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-deployment",
- },
- "spec": {
- "template": {
- "spec": {
- "volumes": pod_spec.volumes
- }
- }
- }
- }
- }
-}
-
-daemonset_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "DaemonSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-daemonset",
- },
- "spec": {
- "template": {
- "spec": {
- "volumes": pod_spec.volumes
- }
- }
- }
- }
- }
-}
-
-replicaset_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "ReplicaSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-replicaset",
- },
- "spec": {
- "template": {
- "spec": {
- "volumes": pod_spec.volumes
- }
- }
- }
- }
- }
-}
-
-statefulset_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "StatefulSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-statefulset",
- },
- "spec": {
- "template": {
- "spec": {
- "volumes": pod_spec.volumes
- }
- }
- }
- }
- }
-}
-
-job_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "Job",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-job",
- },
- "spec": {
- "template": {
- "spec": {
- "volumes": pod_spec.volumes
- }
- }
- }
- }
- }
-}
-
-cronjob_definition(pod_spec) = out {
- out = {
- "object": {
- "kind": "CronJob",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-cronjob",
- },
- "spec": {
- "jobTemplate": {
- "spec" : {
- "template": {
- "spec": {
- "volumes": pod_spec.volumes
- }
- }
- }
- }
- }
- }
- }
-}
-
-input_obj(review) = out {
- out = {
- "parameters": {},
- "review": review
- }
-}
diff --git a/rego/pss_hostports/policy.rego b/rego/pss_hostports/policy.rego
deleted file mode 100644
index c5399d3..0000000
--- a/rego/pss_hostports/policy.rego
+++ /dev/null
@@ -1,108 +0,0 @@
-package pss_hostports
-
-
-violation[msg] {
- failHostPorts := getContainersWithHostPorts
- count(failHostPorts) > 0
-
- msg := format(sprintf("Container '%s' of %s '%s' should not set host ports", [failHostPorts[_], kind, name]))
-
-}
-
-getContainersWithHostPorts[container] {
- allContainers := containers[_]
- hostport_present := allContainers.ports[_].hostPort
- container := allContainers.name
-}
-
-
-
-
-
-
-################### LIBRARY ###################
-
-
-default is_gatekeeper = true
-
-object = input.review.object {
- is_gatekeeper
-}
-
-format(msg) = gatekeeper_format {
- is_gatekeeper
- gatekeeper_format = {"msg": msg}
-}
-
-name = object.metadata.name
-
-kind = object.kind
-
-is_pod {
- kind = "Pod"
-}
-
-is_cronjob {
- kind = "CronJob"
-}
-
-default is_controller = false
-
-is_controller {
- kind = "Deployment"
-}
-
-is_controller {
- kind = "StatefulSet"
-}
-
-is_controller {
- kind = "DaemonSet"
-}
-
-is_controller {
- kind = "ReplicaSet"
-}
-
-is_controller {
- kind = "ReplicationController"
-}
-
-is_controller {
- kind = "Job"
-}
-
-pod_containers(pod) = all_containers {
- keys = {"containers", "initContainers"}
- all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
- pods[pod]
- all_containers = pod_containers(pod)
- container = all_containers[_]
-}
-
-containers[container] {
- all_containers = pod_containers(object)
- container = all_containers[_]
-}
-
-pods[pod] {
- is_pod
- pod = object
-}
-
-pods[pod] {
- is_controller
- pod = object.spec.template
-}
-
-pods[pod] {
- is_cronjob
- pod = object.spec.jobTemplate.spec.template
-}
-
-has_field(obj, field) {
- obj[field]
-}
diff --git a/rego/pss_hostports/policy_test.rego b/rego/pss_hostports/policy_test.rego
deleted file mode 100644
index c9f47a5..0000000
--- a/rego/pss_hostports/policy_test.rego
+++ /dev/null
@@ -1,345 +0,0 @@
-package pss_hostports
-
-test_container_with_hostport_on_pod {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_pod(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_hostport_on_pod {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_pod(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_hostport_on_deployment {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_deployment(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_hostport_on_deployment {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_deployment(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_hostport_on_daemonset {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_daemonset(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_hostport_on_daemonset {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_daemonset(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_hostport_on_replicaset {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_replicaset(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_hostport_on_replicaset {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_replicaset(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_hostport_on_statefulset {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_statefulset(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_hostport_on_statefulset {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_statefulset(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_hostport_on_job {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_job(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_hostport_on_job {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_job(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_hostport_on_cronjob {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_cronjob(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_hostport_on_cronjob {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_cronjob(pod_spec(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_hostport_on_pod {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_pod(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_hostport_on_pod {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_pod(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_hostport_on_deployment {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_deployment(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_hostport_on_deployment {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_deployment(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_hostport_on_daemonset {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_daemonset(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_hostport_on_daemonset {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_daemonset(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_hostport_on_replicaset {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_replicaset(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_hostport_on_replicaset {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_replicaset(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_hostport_on_statefulset {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_statefulset(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_hostport_on_statefulset {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_statefulset(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_hostport_on_job {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_job(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_hostport_on_job {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_job(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_hostport_on_cronjob {
- container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]}
- input := input_obj(review_cronjob(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_hostport_on_cronjob {
- container_ports := {"ports":[{"containerPort": 80}]}
- input := input_obj(review_cronjob(pod_spec_init_containers(container_ports)))
- results := violation with input as input
- count(results) == 0
-}
-
-review_pod(pod_spec) = out {
- out = {
- "object": {
- "kind": "Pod",
- "apiVersion": "v1",
- "metadata": {
- "name": "my-pod",
- },
- "spec": pod_spec
- }
- }
-}
-
-review_deployment(pod_spec) = out {
- out = {
- "object": {
- "kind": "Deployment",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-deployment",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_daemonset(pod_spec) = out {
- out = {
- "object": {
- "kind": "DaemonSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-daemonset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_replicaset(pod_spec) = out {
- out = {
- "object": {
- "kind": "ReplicaSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-replicaset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_statefulset(pod_spec) = out {
- out = {
- "object": {
- "kind": "StatefulSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-statefulset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_job(pod_spec) = out {
- out = {
- "object": {
- "kind": "Job",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-job",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_cronjob(pod_spec) = out {
- out = {
- "object": {
- "kind": "CronJob",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-cronjob",
- },
- "spec": {
- "jobTemplate": {
- "spec" : {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
- }
- }
-}
-
-pod_spec(container_ports) = out {
- out = {
- "containers": [
- {
- "name": "container1",
- "ports": container_ports.ports
- }
- ]
- }
-}
-
-pod_spec_init_containers(container_ports) = out {
- out = {
- "initContainers": [
- {
- "name": "container1",
- "ports": container_ports.ports
- }
- ]
- }
-}
-
-input_obj(review) = out {
- out = {
- "parameters": {},
- "review": review
- }
-}
diff --git a/rego/pss_pod_capabilities/policy.rego b/rego/pss_pod_capabilities/policy.rego
deleted file mode 100644
index 33c21c0..0000000
--- a/rego/pss_pod_capabilities/policy.rego
+++ /dev/null
@@ -1,111 +0,0 @@
-package pss_podcapabilities
-
-
-violation[msg] {
- failedContainers := getContainersWithDisallowedCaps
- count(failedContainers) > 0
-
- msg := format(sprintf("Container '%s' of %s '%s' should not set 'securityContext.capabilities.add'%s", [failedContainers[_], kind, name, caps_msg]))
-}
-
-allowed_caps := {"AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"}
-
-getContainersWithDisallowedCaps[container] {
- allContainers := containers[_]
- set_caps := {cap | cap := allContainers.securityContext.capabilities.add[_]}
- caps_not_allowed := set_caps - allowed_caps
- count(caps_not_allowed) > 0
- container := allContainers.name
-}
-
-caps_msg = "" {
- count(allowed_caps) == 0
-} else = msg {
- msg := sprintf(" or set it to the following allowed values: %s", [concat(", ", allowed_caps)])
-}
-
-################### LIBRARY ###################
-
-default is_gatekeeper = true
-
-object = input.review.object {
- is_gatekeeper
-}
-
-format(msg) = gatekeeper_format {
- is_gatekeeper
- gatekeeper_format = {"msg": msg}
-}
-
-name = object.metadata.name
-
-kind = object.kind
-
-is_pod {
- kind = "Pod"
-}
-
-is_cronjob {
- kind = "CronJob"
-}
-
-default is_controller = false
-
-is_controller {
- kind = "Deployment"
-}
-
-is_controller {
- kind = "StatefulSet"
-}
-
-is_controller {
- kind = "DaemonSet"
-}
-
-is_controller {
- kind = "ReplicaSet"
-}
-
-is_controller {
- kind = "ReplicationController"
-}
-
-is_controller {
- kind = "Job"
-}
-
-pod_containers(pod) = all_containers {
- keys = {"containers", "initContainers", "ephemeralContainers"}
- all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
- pods[pod]
- all_containers = pod_containers(pod)
- container = all_containers[_]
-}
-
-containers[container] {
- all_containers = pod_containers(object)
- container = all_containers[_]
-}
-
-pods[pod] {
- is_pod
- pod = object
-}
-
-pods[pod] {
- is_controller
- pod = object.spec.template
-}
-
-pods[pod] {
- is_cronjob
- pod = object.spec.jobTemplate.spec.template
-}
-
-has_field(obj, field) {
- obj[field]
-}
diff --git a/rego/pss_pod_capabilities/policy_test.rego b/rego/pss_pod_capabilities/policy_test.rego
deleted file mode 100644
index ca76c10..0000000
--- a/rego/pss_pod_capabilities/policy_test.rego
+++ /dev/null
@@ -1,585 +0,0 @@
-package pss_podcapabilities
-
-################Helpers##############################
-
-review_pod(pod_spec) = out {
- out = {
- "object": {
- "kind": "Pod",
- "apiVersion": "v1",
- "metadata": {
- "name": "my-pod",
- },
- "spec": pod_spec
- }
- }
-}
-
-review_deployment(pod_spec) = out {
- out = {
- "object": {
- "kind": "Deployment",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-deployment",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_daemonset(pod_spec) = out {
- out = {
- "object": {
- "kind": "DaemonSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-daemonset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_replicaset(pod_spec) = out {
- out = {
- "object": {
- "kind": "ReplicaSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-replicaset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_statefulset(pod_spec) = out {
- out = {
- "object": {
- "kind": "StatefulSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-statefulset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_job(pod_spec) = out {
- out = {
- "object": {
- "kind": "Job",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-job",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_cronjob(pod_spec) = out {
- out = {
- "object": {
- "kind": "CronJob",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-cronjob",
- },
- "spec": {
- "jobTemplate": {
- "spec" : {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
- }
- }
-}
-
-pod_spec(capabilities) = out {
- out = {
- "containers": [
- {
- "name": "container1",
- "securityContext": {
- "capabilities": {
- "add": capabilities
- }
- }
- }
- ]
- }
-}
-
-pod_init_container_spec(capabilities) = out {
- out = {
- "initContainers": [
- {
- "name": "container1",
- "securityContext": {
- "capabilities": {
- "add": capabilities
- }
- }
- }
- ]
- }
-}
-
-pod_ephemeral_container_spec(capabilities) = out {
- out = {
- "ephemeralContainers": [
- {
- "name": "container1",
- "securityContext": {
- "capabilities": {
- "add": capabilities
- }
- }
- }
- ]
- }
-}
-
-input_obj(review) = out {
- out = {
- "parameters": {},
- "review": review
- }
-}
-
-################Container Tests######################
-
-test_not_allowed_cap_container_on_pod {
- input := input_obj(review_pod(pod_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_pod {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_pod(pod_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_pod(pod_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_deployment {
- cap_list := ["SYS_TIME"]
- input := input_obj(review_deployment(pod_spec(cap_list)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_deployment {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_deployment(pod_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_deployment(pod_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_daemonset {
- cap_list := ["SYS_TIME"]
- input := input_obj(review_daemonset(pod_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_daemonset {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_daemonset(pod_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_daemonset(pod_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_replicaset {
- input := input_obj(review_replicaset(pod_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_replicaset {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_replicaset(pod_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_replicaset(pod_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_statefulset {
- input := input_obj(review_statefulset(pod_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_statefulset {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_statefulset(pod_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_statefulset(pod_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_job {
- input := input_obj(review_job(pod_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_jobt {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_job(pod_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_job(pod_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_cronjob {
- input := input_obj(review_cronjob(pod_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_cronjob {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_cronjob(pod_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_cronjob(pod_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-################Init Container Tests######################
-
-test_not_allowed_cap_container_on_pod {
- input := input_obj(review_pod(pod_init_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_pod {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_pod(pod_init_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_pod(pod_init_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_deployment {
- cap_list := ["SYS_TIME"]
- input := input_obj(review_deployment(pod_init_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_deployment {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_deployment(pod_init_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_deployment(pod_init_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_daemonset {
- cap_list := ["SYS_TIME"]
- input := input_obj(review_daemonset(pod_init_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_daemonset {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_daemonset(pod_init_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_daemonset(pod_init_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_replicaset {
- input := input_obj(review_replicaset(pod_init_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_replicaset {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_replicaset(pod_init_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_replicaset(pod_init_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_statefulset {
- input := input_obj(review_statefulset(pod_init_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_statefulset {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_statefulset(pod_init_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_statefulset(pod_init_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_job {
- input := input_obj(review_job(pod_init_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_jobt {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_job(pod_init_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_job(pod_init_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_cronjob {
- input := input_obj(review_cronjob(pod_init_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_cronjob {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_cronjob(pod_init_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_cronjob(pod_init_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-################Ephemeral Container Tests######################
-
-test_not_allowed_cap_container_on_pod {
- input := input_obj(review_pod(pod_ephemeral_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_pod {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_pod(pod_ephemeral_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_pod(pod_ephemeral_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_deployment {
- cap_list := ["SYS_TIME"]
- input := input_obj(review_deployment(pod_ephemeral_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_deployment {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_deployment(pod_ephemeral_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_deployment(pod_ephemeral_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_daemonset {
- cap_list := ["SYS_TIME"]
- input := input_obj(review_daemonset(pod_ephemeral_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_daemonset {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_daemonset(pod_ephemeral_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_daemonset(pod_ephemeral_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_replicaset {
- input := input_obj(review_replicaset(pod_ephemeral_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_replicaset {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_replicaset(pod_ephemeral_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_replicaset(pod_ephemeral_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_statefulset {
- input := input_obj(review_statefulset(pod_ephemeral_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_statefulset {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_statefulset(pod_ephemeral_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_statefulset(pod_ephemeral_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_job {
- input := input_obj(review_job(pod_ephemeral_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_jobt {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_job(pod_ephemeral_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_job(pod_ephemeral_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_cap_on_cronjob {
- input := input_obj(review_cronjob(pod_ephemeral_container_spec(["SYS_TIME"])))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_cap_container_on_cronjob {
- cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"]
- input := input_obj(review_cronjob(pod_ephemeral_container_spec(cap_list)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_cap_nill_container_on_pod {
- input := input_obj(review_cronjob(pod_ephemeral_container_spec(null)))
- results := violation with input as input
- count(results) == 0
-}
\ No newline at end of file
diff --git a/rego/pss_privileged_pods/policy.rego b/rego/pss_privileged_pods/policy.rego
deleted file mode 100644
index 8af891a..0000000
--- a/rego/pss_privileged_pods/policy.rego
+++ /dev/null
@@ -1,106 +0,0 @@
-package pss_privilegedpods
-
-
-violation[msg] {
- failedContainers := getPrivilegedContainers
- count(failedContainers) > 0
-
- msg := format(sprintf("Container '%s' of %s '%s' should set 'securityContext.privileged' to false", [failedContainers[_], kind, name]))
-}
-
-getPrivilegedContainers[container] {
- allContainers := containers[_]
- allContainers.securityContext.privileged == true
- container := allContainers.name
-}
-
-
-
-
-
-################### LIBRARY ###################
-
-
-default is_gatekeeper = true
-
-object = input.review.object {
- is_gatekeeper
-}
-
-format(msg) = gatekeeper_format {
- is_gatekeeper
- gatekeeper_format = {"msg": msg}
-}
-
-name = object.metadata.name
-
-kind = object.kind
-
-is_pod {
- kind = "Pod"
-}
-
-is_cronjob {
- kind = "CronJob"
-}
-
-default is_controller = false
-
-is_controller {
- kind = "Deployment"
-}
-
-is_controller {
- kind = "StatefulSet"
-}
-
-is_controller {
- kind = "DaemonSet"
-}
-
-is_controller {
- kind = "ReplicaSet"
-}
-
-is_controller {
- kind = "ReplicationController"
-}
-
-is_controller {
- kind = "Job"
-}
-
-pod_containers(pod) = all_containers {
- keys = {"containers", "initContainers"}
- all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
- pods[pod]
- all_containers = pod_containers(pod)
- container = all_containers[_]
-}
-
-containers[container] {
- all_containers = pod_containers(object)
- container = all_containers[_]
-}
-
-pods[pod] {
- is_pod
- pod = object
-}
-
-pods[pod] {
- is_controller
- pod = object.spec.template
-}
-
-pods[pod] {
- is_cronjob
- pod = object.spec.jobTemplate.spec.template
-}
-
-has_field(obj, field) {
- obj[field]
-}
diff --git a/rego/pss_privileged_pods/policy_test.rego b/rego/pss_privileged_pods/policy_test.rego
deleted file mode 100644
index 29894cd..0000000
--- a/rego/pss_privileged_pods/policy_test.rego
+++ /dev/null
@@ -1,224 +0,0 @@
-package pss_privilegedpods
-
-test_privileged_container_on_pod {
- input := input_obj(review_pod(pod_spec(true)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_unprivileged_container_on_pod {
- input := input_obj(review_pod(pod_spec(false)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_privileged_container_on_deployment {
- input := input_obj(review_deployment(pod_spec(true)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_unprivileged_container_on_deployment {
- input := input_obj(review_deployment(pod_spec(false)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_privileged_container_on_daemonset {
- input := input_obj(review_daemonset(pod_spec(true)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_unprivileged_container_on_daemonset {
- input := input_obj(review_daemonset(pod_spec(false)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_privileged_container_on_replicaset {
- input := input_obj(review_replicaset(pod_spec(true)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_unprivileged_container_on_replicaset {
- input := input_obj(review_replicaset(pod_spec(false)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_privileged_container_on_statefulset {
- input := input_obj(review_statefulset(pod_spec(true)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_unprivileged_container_on_statefulset {
- input := input_obj(review_statefulset(pod_spec(false)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_privileged_container_on_job {
- input := input_obj(review_job(pod_spec(true)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_unprivileged_container_on_jobt {
- input := input_obj(review_job(pod_spec(false)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_privileged_container_on_cronjob {
- input := input_obj(review_cronjob(pod_spec(true)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_unprivileged_container_on_cronjob {
- input := input_obj(review_cronjob(pod_spec(false)))
- results := violation with input as input
- count(results) == 0
-}
-
-review_pod(pod_spec) = out {
- out = {
- "object": {
- "kind": "Pod",
- "apiVersion": "v1",
- "metadata": {
- "name": "my-pod",
- },
- "spec": pod_spec
- }
- }
-}
-
-review_deployment(pod_spec) = out {
- out = {
- "object": {
- "kind": "Deployment",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-deployment",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_daemonset(pod_spec) = out {
- out = {
- "object": {
- "kind": "DaemonSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-daemonset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_replicaset(pod_spec) = out {
- out = {
- "object": {
- "kind": "ReplicaSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-replicaset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_statefulset(pod_spec) = out {
- out = {
- "object": {
- "kind": "StatefulSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-statefulset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_job(pod_spec) = out {
- out = {
- "object": {
- "kind": "Job",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-job",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_cronjob(pod_spec) = out {
- out = {
- "object": {
- "kind": "CronJob",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-cronjob",
- },
- "spec": {
- "jobTemplate": {
- "spec" : {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
- }
- }
-}
-
-pod_spec(allow_privileged) = out {
- out = {
- "containers": [
- {
- "name": "container1",
- "securityContext": {
- "privileged": allow_privileged
- }
- }
- ]
- }
-}
-
-input_obj(review) = out {
- out = {
- "parameters": {},
- "review": review
- }
-}
diff --git a/rego/pss_procmounts/policy.rego b/rego/pss_procmounts/policy.rego
deleted file mode 100644
index d1c9ab0..0000000
--- a/rego/pss_procmounts/policy.rego
+++ /dev/null
@@ -1,108 +0,0 @@
-package pss_procmounts
-
-
-violation[msg] {
- failProcMountOpts
-
- msg := format(sprintf("%s '%s' should not set 'spec.containers[*].securityContext.procMount' or 'spec.initContainers[*].securityContext.procMount'", [kind, name]))
-}
-
-failProcMountOpts {
- allContainers := containers[_]
- has_key(allContainers.securityContext, "procMount")
-}
-
-
-
-
-
-################### LIBRARY ###################
-
-
-default is_gatekeeper = true
-
-object = input.review.object {
- is_gatekeeper
-}
-
-format(msg) = gatekeeper_format {
- is_gatekeeper
- gatekeeper_format = {"msg": msg}
-}
-
-name = object.metadata.name
-
-kind = object.kind
-
-is_pod {
- kind = "Pod"
-}
-
-is_cronjob {
- kind = "CronJob"
-}
-
-default is_controller = false
-
-is_controller {
- kind = "Deployment"
-}
-
-is_controller {
- kind = "StatefulSet"
-}
-
-is_controller {
- kind = "DaemonSet"
-}
-
-is_controller {
- kind = "ReplicaSet"
-}
-
-is_controller {
- kind = "ReplicationController"
-}
-
-is_controller {
- kind = "Job"
-}
-
-pod_containers(pod) = all_containers {
- keys = {"containers", "initContainers", "ephemeralContainers"}
- all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
- pods[pod]
- all_containers = pod_containers(pod)
- container = all_containers[_]
-}
-
-containers[container] {
- all_containers = pod_containers(object)
- container = all_containers[_]
-}
-
-pods[pod] {
- is_pod
- pod = object
-}
-
-pods[pod] {
- is_controller
- pod = object.spec.template
-}
-
-pods[pod] {
- is_cronjob
- pod = object.spec.jobTemplate.spec.template
-}
-
-has_field(obj, field) {
- obj[field]
-}
-
-has_key(x, k) {
- _ = x[k]
-}
diff --git a/rego/pss_procmounts/policy_test.rego b/rego/pss_procmounts/policy_test.rego
deleted file mode 100644
index 8b99b6d..0000000
--- a/rego/pss_procmounts/policy_test.rego
+++ /dev/null
@@ -1,454 +0,0 @@
-package pss_procmounts
-
-test_container_with_procmount_on_pod {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_pod(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_procmount_on_pod {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_pod(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_procmount_on_deployment {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_deployment(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_procmount_on_deployment {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_deployment(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_procmount_on_daemonset {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_daemonset(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_procmount_on_daemonset {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_daemonset(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_procmount_on_replicaset {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_replicaset(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_procmount_on_replicaset {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_replicaset(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_procmount_on_statefulset {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_statefulset(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_procmount_on_statefulset {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_statefulset(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_procmount_on_job {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_job(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_procmount_on_jobt {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_job(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_procmount_on_cronjob {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_cronjob(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_procmount_on_cronjob {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_cronjob(pod_spec(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_procmount_on_pod {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_pod(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_procmount_on_pod {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_pod(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_procmount_on_deployment {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_deployment(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_procmount_on_deployment {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_deployment(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_procmount_on_daemonset {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_daemonset(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_procmount_on_daemonset {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_daemonset(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_procmount_on_replicaset {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_replicaset(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_procmount_on_replicaset {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_replicaset(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_procmount_on_statefulset {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_statefulset(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_procmount_on_statefulset {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_statefulset(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_procmount_on_job {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_job(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_procmount_on_jobt {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_job(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_procmount_on_cronjob {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_cronjob(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_procmount_on_cronjob {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_cronjob(pod_spec_init_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_procmount_on_pod {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_pod(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_procmount_on_pod {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_pod(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_procmount_on_deployment {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_procmount_on_deployment {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_procmount_on_daemonset {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_procmount_on_daemonset {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_procmount_on_replicaset {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_procmount_on_replicaset {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_procmount_on_statefulset {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_procmount_on_statefulset {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_procmount_on_job {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_job(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_procmount_on_jobt {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_job(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_procmount_on_cronjob {
- container_securitycontext := {"securityContext":{"procMount": "Unmasked"}}
- input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_procmount_on_cronjob {
- container_securitycontext := {"securityContext":{}}
- input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_securitycontext)))
- results := violation with input as input
- count(results) == 0
-}
-
-review_pod(pod_spec) = out {
- out = {
- "object": {
- "kind": "Pod",
- "apiVersion": "v1",
- "metadata": {
- "name": "my-pod",
- },
- "spec": pod_spec
- }
- }
-}
-
-review_deployment(pod_spec) = out {
- out = {
- "object": {
- "kind": "Deployment",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-deployment",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_daemonset(pod_spec) = out {
- out = {
- "object": {
- "kind": "DaemonSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-daemonset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_replicaset(pod_spec) = out {
- out = {
- "object": {
- "kind": "ReplicaSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-replicaset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_statefulset(pod_spec) = out {
- out = {
- "object": {
- "kind": "StatefulSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-statefulset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_job(pod_spec) = out {
- out = {
- "object": {
- "kind": "Job",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-job",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_cronjob(pod_spec) = out {
- out = {
- "object": {
- "kind": "CronJob",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-cronjob",
- },
- "spec": {
- "jobTemplate": {
- "spec" : {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
- }
- }
-}
-
-pod_spec(container_securitycontext) = out {
- out = {
- "containers": [
- {
- "name": "container1",
- "securityContext": container_securitycontext.securityContext
- }
- ]
- }
-}
-
-pod_spec_init_containers(container_securitycontext) = out {
- out = {
- "initContainers": [
- {
- "name": "container1",
- "securityContext": container_securitycontext.securityContext
- }
- ]
- }
-}
-
-pod_spec_ephemeral_containers(container_securitycontext) = out {
- out = {
- "ephemeralContainers": [
- {
- "name": "container1",
- "securityContext": container_securitycontext.securityContext
- }
- ]
- }
-}
-
-input_obj(review) = out {
- out = {
- "parameters": {},
- "review": review
- }
-}
diff --git a/rego/pss_seccomp/policy.rego b/rego/pss_seccomp/policy.rego
deleted file mode 100644
index f66a0a6..0000000
--- a/rego/pss_seccomp/policy.rego
+++ /dev/null
@@ -1,121 +0,0 @@
-package pss_seccomp
-
-violation[msg] {
- failSeccompProfileType
-
- msg := format(sprintf("%s '%s' should set 'spec.securityContext.seccompProfile.type' to 'RuntimeDefault'", [kind, name]))
-}
-
-violation[msg] {
- count(getContainersWithDisallowedSeccompProfileType) > 0
-
- msg := format(sprintf("Container '%s' of %s '%s' should set 'spec.containers[*].securityContext.seccompProfile.type' to 'RuntimeDefault'", [getContainersWithDisallowedSeccompProfileType[_], kind, name]))
-}
-
-failSeccompProfileType {
- pod := pods[_]
- type := pod.spec.securityContext.seccompProfile.type
- not type == "RuntimeDefault"
-}
-
-getContainersWithDisallowedSeccompProfileType[name] {
- container := containers[_]
- type := container.securityContext.seccompProfile.type
- not type == "RuntimeDefault"
- name := container.name
-}
-
-
-
-
-
-################### LIBRARY ###################
-
-
-default is_gatekeeper = true
-
-object = input.review.object {
- is_gatekeeper
-}
-
-format(msg) = gatekeeper_format {
- is_gatekeeper
- gatekeeper_format = {"msg": msg}
-}
-
-name = object.metadata.name
-
-kind = object.kind
-
-is_pod {
- kind = "Pod"
-}
-
-is_cronjob {
- kind = "CronJob"
-}
-
-default is_controller = false
-
-is_controller {
- kind = "Deployment"
-}
-
-is_controller {
- kind = "StatefulSet"
-}
-
-is_controller {
- kind = "DaemonSet"
-}
-
-is_controller {
- kind = "ReplicaSet"
-}
-
-is_controller {
- kind = "ReplicationController"
-}
-
-is_controller {
- kind = "Job"
-}
-
-pod_containers(pod) = all_containers {
- keys = {"containers", "initContainers", "ephemeralContainers"}
- all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
- pods[pod]
- all_containers = pod_containers(pod)
- container = all_containers[_]
-}
-
-containers[container] {
- all_containers = pod_containers(object)
- container = all_containers[_]
-}
-
-pods[pod] {
- is_pod
- pod = object
-}
-
-pods[pod] {
- is_controller
- pod = object.spec.template
-}
-
-pods[pod] {
- is_cronjob
- pod = object.spec.jobTemplate.spec.template
-}
-
-has_field(obj, field) {
- obj[field]
-}
-
-has_key(x, k) {
- _ = x[k]
-}
diff --git a/rego/pss_seccomp/policy_test.rego b/rego/pss_seccomp/policy_test.rego
deleted file mode 100644
index 80cb5d0..0000000
--- a/rego/pss_seccomp/policy_test.rego
+++ /dev/null
@@ -1,671 +0,0 @@
-package pss_seccomp
-
-test_unconfined_seccomp_on_pod {
- pod_seccomp := {"type": "Unconfined"}
- input := input_obj(review_pod(pod_spec_seccomp(pod_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_no_unconfined_seccomp_on_pod {
- pod_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_pod(pod_spec_seccomp(pod_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_no_securitycontext_on_pod {
- input := input_obj(review_pod(pod_spec_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_unconfined_seccomp_on_pod {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_pod(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_unconfined_seccomp_on_pod {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_pod(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_no_securitycontext_on_pod {
- input := input_obj(review_pod(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_unconfined_seccomp_on_deployment {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_deployment(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_unconfined_seccomp_on_deployment {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_deployment(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_no_securitycontext_on_deployment {
- input := input_obj(review_deployment(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_unconfined_seccomp_on_daemonset {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_daemonset(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_unconfined_seccomp_on_daemonset {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_daemonset(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_no_securitycontext_on_daemonset {
- input := input_obj(review_daemonset(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_unconfined_seccomp_on_replicaset {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_replicaset(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_unconfined_seccomp_on_replicaset {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_replicaset(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_no_securitycontext_on_replicaset {
- input := input_obj(review_replicaset(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_unconfined_seccomp_on_statefulset {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_statefulset(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_unconfined_seccomp_on_statefulset {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_statefulset(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_no_securitycontext_on_statefulset {
- input := input_obj(review_statefulset(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_unconfined_seccomp_on_job {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_job(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_unconfined_seccomp_on_job {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_job(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_no_securitycontext_on_job {
- input := input_obj(review_job(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_unconfined_seccomp_on_cronjob {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_cronjob(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_no_unconfined_seccomp_on_cronjob {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_cronjob(pod_spec(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_no_securitycontext_on_cronjob {
- input := input_obj(review_cronjob(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_unconfined_seccomp_on_pod {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_pod(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_unconfined_seccomp_on_pod {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_pod(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_no_securitycontext_on_pod {
- input := input_obj(review_pod(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_unconfined_seccomp_on_deployment {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_deployment(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_unconfined_seccomp_on_deployment {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_deployment(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_no_securitycontext_on_deployment {
- input := input_obj(review_deployment(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_unconfined_seccomp_on_daemonset {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_daemonset(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_unconfined_seccomp_on_daemonset {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_daemonset(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_no_securitycontext_on_daemonset {
- input := input_obj(review_daemonset(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_unconfined_seccomp_on_replicaset {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_replicaset(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_unconfined_seccomp_on_replicaset {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_replicaset(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_no_securitycontext_on_replicaset {
- input := input_obj(review_replicaset(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_unconfined_seccomp_on_statefulset {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_statefulset(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_unconfined_seccomp_on_statefulset {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_statefulset(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_no_securitycontext_on_statefulset {
- input := input_obj(review_statefulset(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_unconfined_seccomp_on_job {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_job(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_unconfined_seccomp_on_job {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_job(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_no_securitycontext_on_job {
- input := input_obj(review_job(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_unconfined_seccomp_on_cronjob {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_cronjob(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_no_unconfined_seccomp_on_cronjob {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_cronjob(pod_spec_init_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_no_securitycontext_on_cronjob {
- input := input_obj(review_cronjob(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_unconfined_seccomp_on_pod {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_pod(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_unconfined_seccomp_on_pod {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_pod(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_no_securitycontext_on_pod {
- input := input_obj(review_pod(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_unconfined_seccomp_on_deployment {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_unconfined_seccomp_on_deployment {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_no_securitycontext_on_deployment {
- input := input_obj(review_deployment(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_unconfined_seccomp_on_daemonset {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_unconfined_seccomp_on_daemonset {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_no_securitycontext_on_daemonset {
- input := input_obj(review_daemonset(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_unconfined_seccomp_on_replicaset {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_unconfined_seccomp_on_replicaset {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_no_securitycontext_on_replicaset {
- input := input_obj(review_replicaset(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_unconfined_seccomp_on_statefulset {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_unconfined_seccomp_on_statefulset {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_no_securitycontext_on_statefulset {
- input := input_obj(review_statefulset(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_unconfined_seccomp_on_job {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_job(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_unconfined_seccomp_on_job {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_job(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_no_securitycontext_on_job {
- input := input_obj(review_job(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_unconfined_seccomp_on_cronjob {
- container_seccomp := {"type": "Unconfined"}
- input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_no_unconfined_seccomp_on_cronjob {
- container_seccomp := {"type": "RuntimeDefault"}
- input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_seccomp)))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_no_securitycontext_on_cronjob {
- input := input_obj(review_cronjob(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-review_pod(pod_spec) = out {
- out = {
- "object": {
- "kind": "Pod",
- "apiVersion": "v1",
- "metadata": {
- "name": "my-pod",
- },
- "spec": pod_spec
- }
- }
-}
-
-review_deployment(pod_spec) = out {
- out = {
- "object": {
- "kind": "Deployment",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-deployment",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_daemonset(pod_spec) = out {
- out = {
- "object": {
- "kind": "DaemonSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-daemonset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_replicaset(pod_spec) = out {
- out = {
- "object": {
- "kind": "ReplicaSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-replicaset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_statefulset(pod_spec) = out {
- out = {
- "object": {
- "kind": "StatefulSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-statefulset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_job(pod_spec) = out {
- out = {
- "object": {
- "kind": "Job",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-job",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_cronjob(pod_spec) = out {
- out = {
- "object": {
- "kind": "CronJob",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-cronjob",
- },
- "spec": {
- "jobTemplate": {
- "spec" : {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
- }
- }
-}
-
-pod_spec(container_seccomp) = out {
- out = {
- "containers": [
- {
- "name": "container1",
- "securityContext": {
- "seccompProfile": {
- "type": container_seccomp.type
- }
- }
- }
- ]
- }
-}
-
-pod_spec_seccomp(pod_seccomp) = out {
- out = {
- "securityContext": {
- "seccompProfile": {
- "type": pod_seccomp.type
- }
- },
- "containers": [
- {
- "name": "container1"
- }
- ]
- }
-}
-
-pod_spec_no_securitycontext() = out {
- out = {
- "securityContext": {},
- "containers": [
- {
- "name": "container1"
- }
- ]
- }
-}
-
-pod_spec_containers_no_securitycontext() = out {
- out = {
- "containers": [
- {
- "name": "container1",
- "securityContext": {}
- }
- ]
- }
-}
-
-pod_spec_init_containers(container_seccomp) = out {
- out = {
- "initContainers": [
- {
- "name": "container1",
- "securityContext": {
- "seccompProfile": {
- "type": container_seccomp.type
- }
- }
- }
- ]
- }
-}
-
-pod_spec_init_containers_no_securitycontext() = out {
- out = {
- "initContainers": [
- {
- "name": "container1",
- "securityContext": {}
- }
- ]
- }
-}
-
-pod_spec_ephemeral_containers(container_seccomp) = out {
- out = {
- "ephemeralContainers": [
- {
- "name": "container1",
- "securityContext": {
- "seccompProfile": {
- "type": container_seccomp.type
- }
- }
- }
- ]
- }
-}
-
-pod_spec_ephemeral_containers_no_securitycontext() = out {
- out = {
- "ephemeralContainers": [
- {
- "name": "container1",
- "securityContext": {}
- }
- ]
- }
-}
-
-input_obj(review) = out {
- out = {
- "parameters": {},
- "review": review
- }
-}
diff --git a/rego/pss_selinux/policy.rego b/rego/pss_selinux/policy.rego
deleted file mode 100644
index 4e7bc76..0000000
--- a/rego/pss_selinux/policy.rego
+++ /dev/null
@@ -1,142 +0,0 @@
-package pss_selinux
-
-violation[msg] {
- type := failSELinuxType[_]
-
- msg := format(sprintf("%s '%s' uses invalid seLinux type '%s'", [kind, name, type]))
-}
-
-violation[msg] {
- keys := failForbiddenSELinuxProperties
-
- count(keys) > 0
-
- msg := format(sprintf("%s '%s' uses restricted properties in seLinuxOptions: (%s)", [kind, name, concat(", ", keys)]))
-}
-
-failSELinuxType[type] {
- context := getAllSecurityContexts[_]
- context.seLinuxOptions != null
- context.seLinuxOptions.type != null
-
- type := context.seLinuxOptions.type
-}
-
-failForbiddenSELinuxProperties[key] {
- context := getAllSecurityContexts[_]
- context.seLinuxOptions != null
- forbiddenProps := getForbiddenSELinuxProperties(context)
- key := forbiddenProps[_]
-}
-
-getAllSecurityContexts[context] {
- context := containers[_].securityContext
-}
-
-getAllSecurityContexts[context] {
- context := pods[_].spec.securityContext
-}
-
-getForbiddenSELinuxProperties(context) = keys {
- forbiddenProperties = ["role", "user"]
- keys := {msg |
- key := forbiddenProperties[_]
- has_key(context.seLinuxOptions, key)
- msg := sprintf("'%s'", [key])
- }
-}
-
-
-
-
-
-################### LIBRARY ###################
-
-
-default is_gatekeeper = true
-
-object = input.review.object {
- is_gatekeeper
-}
-
-format(msg) = gatekeeper_format {
- is_gatekeeper
- gatekeeper_format = {"msg": msg}
-}
-
-name = object.metadata.name
-
-kind = object.kind
-
-is_pod {
- kind = "Pod"
-}
-
-is_cronjob {
- kind = "CronJob"
-}
-
-default is_controller = false
-
-is_controller {
- kind = "Deployment"
-}
-
-is_controller {
- kind = "StatefulSet"
-}
-
-is_controller {
- kind = "DaemonSet"
-}
-
-is_controller {
- kind = "ReplicaSet"
-}
-
-is_controller {
- kind = "ReplicationController"
-}
-
-is_controller {
- kind = "Job"
-}
-
-pod_containers(pod) = all_containers {
- keys = {"containers", "initContainers", "ephemeralContainers"}
- all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
- pods[pod]
- all_containers = pod_containers(pod)
- container = all_containers[_]
-}
-
-containers[container] {
- all_containers = pod_containers(object)
- container = all_containers[_]
-}
-
-pods[pod] {
- is_pod
- pod = object
-}
-
-pods[pod] {
- is_controller
- pod = object.spec.template
-}
-
-pods[pod] {
- is_cronjob
- pod = object.spec.jobTemplate.spec.template
-}
-
-has_field(obj, field) {
- obj[field]
-}
-
-has_key(x, k) {
- _ = x[k]
-}
diff --git a/rego/pss_selinux/policy_test.rego b/rego/pss_selinux/policy_test.rego
deleted file mode 100644
index a73b8ae..0000000
--- a/rego/pss_selinux/policy_test.rego
+++ /dev/null
@@ -1,663 +0,0 @@
-package pss_selinux
-
-test_selinux_options_on_pod {
- pod_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_pod(pod_spec_selinux(pod_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_multiple_selinux_options_on_pod {
- pod_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_pod(pod_spec_selinux(pod_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_no_securitycontext_on_pod {
- input := input_obj(review_pod(pod_spec_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_selinux_options_on_pod {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_pod(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_multiple_selinux_options_on_pod {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_pod(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_container_with_no_securitycontext_on_pod {
- input := input_obj(review_pod(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_selinux_options_on_deployment {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_deployment(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_multiple_selinux_options_on_deployment {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_deployment(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_container_with_no_securitycontext_on_deployment {
- input := input_obj(review_deployment(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_selinux_options_on_daemonset {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_daemonset(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_multiple_selinux_options_on_daemonset {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_daemonset(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_container_with_no_securitycontext_on_daemonset {
- input := input_obj(review_daemonset(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_selinux_options_on_replicaset {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_replicaset(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_multiple_selinux_options_on_replicaset {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_replicaset(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_container_with_no_securitycontext_on_replicaset {
- input := input_obj(review_replicaset(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_selinux_options_on_statefulset {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_statefulset(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_multiple_selinux_options_on_statefulset {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_statefulset(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_container_with_no_securitycontext_on_statefulset {
- input := input_obj(review_statefulset(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_selinux_options_on_job {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_job(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_multiple_selinux_options_on_job {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_job(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_container_with_no_securitycontext_on_job {
- input := input_obj(review_job(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_container_with_selinux_options_on_cronjob {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_cronjob(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_container_with_multiple_selinux_options_on_cronjob {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_cronjob(pod_spec(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_container_with_no_securitycontext_on_cronjob {
- input := input_obj(review_cronjob(pod_spec_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_selinux_options_on_pod {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_pod(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_multiple_selinux_options_on_pod {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_pod(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_init_container_with_no_securitycontext_on_pod {
- input := input_obj(review_pod(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_selinux_options_on_deployment {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_deployment(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_multiple_selinux_options_on_deployment {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_deployment(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_init_container_with_no_securitycontext_on_deployment {
- input := input_obj(review_deployment(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_selinux_options_on_daemonset {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_daemonset(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_multiple_selinux_options_on_daemonset {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_daemonset(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_init_container_with_no_securitycontext_on_daemonset {
- input := input_obj(review_daemonset(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_selinux_options_on_replicaset {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_replicaset(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_multiple_selinux_options_on_replicaset {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_replicaset(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_init_container_with_no_securitycontext_on_replicaset {
- input := input_obj(review_replicaset(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_selinux_options_on_statefulset {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_statefulset(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_multiple_selinux_options_on_statefulset {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_statefulset(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_init_container_with_no_securitycontext_on_statefulset {
- input := input_obj(review_statefulset(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_selinux_options_on_job {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_job(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_multiple_selinux_options_on_job {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_job(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_init_container_with_no_securitycontext_on_job {
- input := input_obj(review_job(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_init_container_with_selinux_options_on_cronjob {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_cronjob(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_init_container_with_multiple_selinux_options_on_cronjob {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_cronjob(pod_spec_init_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_init_container_with_no_securitycontext_on_cronjob {
- input := input_obj(review_cronjob(pod_spec_init_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_selinux_options_on_pod {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_pod(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_multiple_selinux_options_on_pod {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_pod(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_ephemeral_container_with_no_securitycontext_on_pod {
- input := input_obj(review_pod(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_selinux_options_on_deployment {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_multiple_selinux_options_on_deployment {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_ephemeral_container_with_no_securitycontext_on_deployment {
- input := input_obj(review_deployment(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_selinux_options_on_daemonset {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_multiple_selinux_options_on_daemonset {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_ephemeral_container_with_no_securitycontext_on_daemonset {
- input := input_obj(review_daemonset(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_selinux_options_on_replicaset {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_multiple_selinux_options_on_replicaset {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_ephemeral_container_with_no_securitycontext_on_replicaset {
- input := input_obj(review_replicaset(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_selinux_options_on_statefulset {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_multiple_selinux_options_on_statefulset {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_ephemeral_container_with_no_securitycontext_on_statefulset {
- input := input_obj(review_statefulset(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_selinux_options_on_job {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_job(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_multiple_selinux_options_on_job {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_job(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_ephemeral_container_with_no_securitycontext_on_job {
- input := input_obj(review_job(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-test_ephemeral_container_with_selinux_options_on_cronjob {
- container_selinux := {"seLinuxOptions":{"type": "custom"}}
- input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) == 1
-}
-
-test_ephemeral_container_with_multiple_selinux_options_on_cronjob {
- container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}}
- input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_selinux)))
- results := violation with input as input
- count(results) > 1
-}
-
-test_ephemeral_container_with_no_securitycontext_on_cronjob {
- input := input_obj(review_cronjob(pod_spec_ephemeral_containers_no_securitycontext))
- results := violation with input as input
- count(results) == 0
-}
-
-review_pod(pod_spec) = out {
- out = {
- "object": {
- "kind": "Pod",
- "apiVersion": "v1",
- "metadata": {
- "name": "my-pod",
- },
- "spec": pod_spec
- }
- }
-}
-
-review_deployment(pod_spec) = out {
- out = {
- "object": {
- "kind": "Deployment",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-deployment",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_daemonset(pod_spec) = out {
- out = {
- "object": {
- "kind": "DaemonSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-daemonset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_replicaset(pod_spec) = out {
- out = {
- "object": {
- "kind": "ReplicaSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-replicaset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_statefulset(pod_spec) = out {
- out = {
- "object": {
- "kind": "StatefulSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-statefulset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_job(pod_spec) = out {
- out = {
- "object": {
- "kind": "Job",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-job",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_cronjob(pod_spec) = out {
- out = {
- "object": {
- "kind": "CronJob",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-cronjob",
- },
- "spec": {
- "jobTemplate": {
- "spec" : {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
- }
- }
-}
-
-pod_spec(pod_selinux) = out {
- out = {
- "containers": [
- {
- "name": "container1",
- "securityContext": {
- "seLinuxOptions": pod_selinux.seLinuxOptions
- }
- }
- ]
- }
-}
-
-pod_spec_selinux(pod_selinux) = out {
- out = {
- "securityContext": {
- "seLinuxOptions": pod_selinux.seLinuxOptions
- },
- "containers": [
- {
- "name": "container1"
- }
- ]
- }
-}
-
-pod_spec_no_securitycontext() = out {
- out = {
- "securityContext": {},
- "containers": [
- {
- "name": "container1"
- }
- ]
- }
-}
-
-pod_spec_containers_no_securitycontext() = out {
- out = {
- "containers": [
- {
- "name": "container1",
- "securityContext": {}
- }
- ]
- }
-}
-
-pod_spec_init_containers(pod_selinux) = out {
- out = {
- "initContainers": [
- {
- "name": "container1",
- "securityContext": {
- "seLinuxOptions": pod_selinux.seLinuxOptions
- }
- }
- ]
- }
-}
-
-pod_spec_init_containers_no_securitycontext() = out {
- out = {
- "initContainers": [
- {
- "name": "container1",
- "securityContext": {}
- }
- ]
- }
-}
-
-pod_spec_ephemeral_containers(pod_selinux) = out {
- out = {
- "ephemeralContainers": [
- {
- "name": "container1",
- "securityContext": {
- "seLinuxOptions": pod_selinux.seLinuxOptions
- }
- }
- ]
- }
-}
-
-pod_spec_ephemeral_containers_no_securitycontext() = out {
- out = {
- "ephemeralContainers": [
- {
- "name": "container1",
- "securityContext": {}
- }
- ]
- }
-}
-
-input_obj(review) = out {
- out = {
- "parameters": {},
- "review": review
- }
-}
diff --git a/rego/pss_sysctl_options/policy.rego b/rego/pss_sysctl_options/policy.rego
deleted file mode 100644
index b199123..0000000
--- a/rego/pss_sysctl_options/policy.rego
+++ /dev/null
@@ -1,109 +0,0 @@
-package pss_sysctloptions
-
-
-violation[msg] {
- failSysctls
-
- msg := format(sprintf("%s '%s' should set 'securityContext.sysctl' to the allowed values", [kind, name]))
-}
-
-allowed_sysctls := {
- "kernel.shm_rmid_forced",
- "net.ipv4.ip_local_port_range",
- "net.ipv4.ip_unprivileged_port_start",
- "net.ipv4.tcp_syncookies",
- "net.ipv4.ping_group_range",
-}
-
-failSysctls {
- pod := pods[_]
- set_sysctls := {sysctl | sysctl := pod.spec.securityContext.sysctls[_].name}
- sysctls_not_allowed := set_sysctls - allowed_sysctls
- count(sysctls_not_allowed) > 0
-}
-
-################### LIBRARY ###################
-
-default is_gatekeeper = true
-
-object = input.review.object {
- is_gatekeeper
-}
-
-format(msg) = gatekeeper_format {
- is_gatekeeper
- gatekeeper_format = {"msg": msg}
-}
-
-name = object.metadata.name
-
-kind = object.kind
-
-is_pod {
- kind = "Pod"
-}
-
-is_cronjob {
- kind = "CronJob"
-}
-
-default is_controller = false
-
-is_controller {
- kind = "Deployment"
-}
-
-is_controller {
- kind = "StatefulSet"
-}
-
-is_controller {
- kind = "DaemonSet"
-}
-
-is_controller {
- kind = "ReplicaSet"
-}
-
-is_controller {
- kind = "ReplicationController"
-}
-
-is_controller {
- kind = "Job"
-}
-
-pod_containers(pod) = all_containers {
- keys = {"containers", "initContainers", "ephemeralContainers"}
- all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
- pods[pod]
- all_containers = pod_containers(pod)
- container = all_containers[_]
-}
-
-containers[container] {
- all_containers = pod_containers(object)
- container = all_containers[_]
-}
-
-pods[pod] {
- is_pod
- pod = object
-}
-
-pods[pod] {
- is_controller
- pod = object.spec.template
-}
-
-pods[pod] {
- is_cronjob
- pod = object.spec.jobTemplate.spec.template
-}
-
-has_field(obj, field) {
- obj[field]
-}
diff --git a/rego/pss_sysctl_options/policy_test.rego b/rego/pss_sysctl_options/policy_test.rego
deleted file mode 100644
index 327d413..0000000
--- a/rego/pss_sysctl_options/policy_test.rego
+++ /dev/null
@@ -1,268 +0,0 @@
-package pss_sysctloptions
-
-################Helpers##############################
-
-review_pod(pod_spec) = out {
- out = {
- "object": {
- "kind": "Pod",
- "apiVersion": "v1",
- "metadata": {
- "name": "my-pod",
- },
- "spec": pod_spec
- }
- }
-}
-
-review_deployment(pod_spec) = out {
- out = {
- "object": {
- "kind": "Deployment",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-deployment",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_daemonset(pod_spec) = out {
- out = {
- "object": {
- "kind": "DaemonSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-daemonset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_replicaset(pod_spec) = out {
- out = {
- "object": {
- "kind": "ReplicaSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-replicaset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_statefulset(pod_spec) = out {
- out = {
- "object": {
- "kind": "StatefulSet",
- "apiVersion": "apps/v1",
- "metadata": {
- "name": "my-statefulset",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_job(pod_spec) = out {
- out = {
- "object": {
- "kind": "Job",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-job",
- },
- "spec": {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
-}
-
-review_cronjob(pod_spec) = out {
- out = {
- "object": {
- "kind": "CronJob",
- "apiVersion": "batch/v1",
- "metadata": {
- "name": "my-cronjob",
- },
- "spec": {
- "jobTemplate": {
- "spec" : {
- "template": {
- "spec": pod_spec
- }
- }
- }
- }
- }
- }
-}
-
-pod_spec(securitycontext) = out {
- out = {
- "securityContext" : securitycontext,
- "containers": [
- {
- "name": "container1",
- }
- ]
- }
-}
-
-input_obj(review) = out {
- out = {
- "parameters": {},
- "review": review
- }
-}
-
-################Container Tests######################
-
-test_not_allowed_sysctls_options_container_on_pod {
- input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]})))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_sysctls_options_container_on_pod {
- input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_sysctls_options_nill_container_on_pod {
- input := input_obj(review_pod(pod_spec({"sysctls": null})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_sysctls_options_container_on_deployment {
- input := input_obj(review_deployment(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]})))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_sysctls_options_container_on_deployment {
- input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_sysctls_options_nill_container_on_deployment {
- input := input_obj(review_deployment(pod_spec({"sysctls": null})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_sysctls_options_container_on_daemonset {
- input := input_obj(review_daemonset(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]})))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_sysctls_options_container_on_daemonset {
- input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_sysctls_options_nill_container_on_daemonset {
- input := input_obj(review_daemonset(pod_spec({"sysctls": null})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_sysctls_options_container_on_replicaset {
- input := input_obj(review_replicaset(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]})))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_sysctls_options_container_on_replicaset {
- input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_sysctls_options_nill_container_on_replicaset {
- input := input_obj(review_replicaset(pod_spec({"sysctls": null})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_sysctls_options_container_on_statefulset {
- input := input_obj(review_statefulset(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]})))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_sysctls_options_container_on_statefulset {
- input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_sysctls_options_nill_container_on_statefulset {
- input := input_obj(review_statefulset(pod_spec({"sysctls": null})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_sysctls_options_container_on_job {
- input := input_obj(review_job(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]})))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_sysctls_options_container_on_job {
- input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_sysctls_options_nill_container_on_job {
- input := input_obj(review_job(pod_spec({"sysctls": null})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_not_allowed_sysctls_options_container_on_cronjob {
- input := input_obj(review_cronjob(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]})))
- results := violation with input as input
- count(results) == 1
-}
-
-test_allowed_sysctls_options_container_on_cronjob {
- input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]})))
- results := violation with input as input
- count(results) == 0
-}
-
-test_allowed_sysctls_options_nill_container_on_cronjob {
- input := input_obj(review_cronjob(pod_spec({"sysctls": null})))
- results := violation with input as input
- count(results) == 0
-}
\ No newline at end of file
diff --git a/templates/constraint_template_pss_apparmor.yaml b/templates/constraint_template_pss_apparmor.yaml
deleted file mode 100644
index 7f3ad49..0000000
--- a/templates/constraint_template_pss_apparmor.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: templates.gatekeeper.sh/v1
-kind: ConstraintTemplate
-metadata:
- name: pssapparmor
-spec:
- crd:
- spec:
- names:
- kind: PssAppArmor
- targets:
- - target: admission.k8s.gatekeeper.sh
- rego: |
-{{.Files.Get "rego/pss_apparmor/policy.rego" | indent 8 }}
diff --git a/templates/constraint_template_pss_host_namespace.yaml b/templates/constraint_template_pss_host_namespace.yaml
deleted file mode 100644
index 00d41a3..0000000
--- a/templates/constraint_template_pss_host_namespace.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: templates.gatekeeper.sh/v1
-kind: ConstraintTemplate
-metadata:
- name: psshostnamespace
-spec:
- crd:
- spec:
- names:
- kind: PssHostNamespace
- targets:
- - target: admission.k8s.gatekeeper.sh
- rego: |
-{{.Files.Get "rego/pss_host_namespaces/policy.rego" | indent 8 }}
diff --git a/templates/constraint_template_pss_hostpath_volume.yaml b/templates/constraint_template_pss_hostpath_volume.yaml
deleted file mode 100644
index 0ff44e4..0000000
--- a/templates/constraint_template_pss_hostpath_volume.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: templates.gatekeeper.sh/v1
-kind: ConstraintTemplate
-metadata:
- name: psshostpathvolume
-spec:
- crd:
- spec:
- names:
- kind: PssHostpathVolume
- targets:
- - target: admission.k8s.gatekeeper.sh
- rego: |
-{{.Files.Get "rego/pss_hostpath_volumes/policy.rego" | indent 8 }}
diff --git a/templates/constraint_template_pss_hostport.yaml b/templates/constraint_template_pss_hostport.yaml
deleted file mode 100644
index 226be26..0000000
--- a/templates/constraint_template_pss_hostport.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: templates.gatekeeper.sh/v1
-kind: ConstraintTemplate
-metadata:
- name: psshostport
-spec:
- crd:
- spec:
- names:
- kind: PssHostPort
- targets:
- - target: admission.k8s.gatekeeper.sh
- rego: |
-{{.Files.Get "rego/pss_hostports/policy.rego" | indent 8 }}
diff --git a/templates/constraint_template_pss_pod_capabilities.yaml b/templates/constraint_template_pss_pod_capabilities.yaml
deleted file mode 100644
index 388eef5..0000000
--- a/templates/constraint_template_pss_pod_capabilities.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: templates.gatekeeper.sh/v1
-kind: ConstraintTemplate
-metadata:
- name: psspodcapabilities
-spec:
- crd:
- spec:
- names:
- kind: PssPodCapabilities
- targets:
- - target: admission.k8s.gatekeeper.sh
- rego: |
-{{.Files.Get "rego/pss_pod_capabilities/policy.rego" | indent 8 }}
diff --git a/templates/constraint_template_pss_privileged.yaml b/templates/constraint_template_pss_privileged.yaml
deleted file mode 100644
index 6f9d08e..0000000
--- a/templates/constraint_template_pss_privileged.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: templates.gatekeeper.sh/v1
-kind: ConstraintTemplate
-metadata:
- name: pssprivilegedpod
-spec:
- crd:
- spec:
- names:
- kind: PssPrivilegedPod
- targets:
- - target: admission.k8s.gatekeeper.sh
- rego: |
-{{.Files.Get "rego/pss_privileged_pods/policy.rego" | indent 8 }}
diff --git a/templates/constraint_template_pss_procmount.yaml b/templates/constraint_template_pss_procmount.yaml
deleted file mode 100644
index 4caafb3..0000000
--- a/templates/constraint_template_pss_procmount.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: templates.gatekeeper.sh/v1
-kind: ConstraintTemplate
-metadata:
- name: pssprocmount
-spec:
- crd:
- spec:
- names:
- kind: PssProcMount
- targets:
- - target: admission.k8s.gatekeeper.sh
- rego: |
-{{.Files.Get "rego/pss_procmounts/policy.rego" | indent 8 }}
diff --git a/templates/constraint_template_pss_seccomp.yaml b/templates/constraint_template_pss_seccomp.yaml
deleted file mode 100644
index 35e5f3a..0000000
--- a/templates/constraint_template_pss_seccomp.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: templates.gatekeeper.sh/v1
-kind: ConstraintTemplate
-metadata:
- name: pssseccomp
-spec:
- crd:
- spec:
- names:
- kind: PssSeccomp
- targets:
- - target: admission.k8s.gatekeeper.sh
- rego: |
-{{.Files.Get "rego/pss_seccomp/policy.rego" | indent 8 }}
diff --git a/templates/constraint_template_pss_selinux.yaml b/templates/constraint_template_pss_selinux.yaml
deleted file mode 100644
index 238bad8..0000000
--- a/templates/constraint_template_pss_selinux.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: templates.gatekeeper.sh/v1
-kind: ConstraintTemplate
-metadata:
- name: pssselinux
-spec:
- crd:
- spec:
- names:
- kind: PssSELinux
- targets:
- - target: admission.k8s.gatekeeper.sh
- rego: |
-{{.Files.Get "rego/pss_selinux/policy.rego" | indent 8 }}
diff --git a/templates/constraint_template_pss_sysctl_options.yaml b/templates/constraint_template_pss_sysctl_options.yaml
deleted file mode 100644
index cc82ffe..0000000
--- a/templates/constraint_template_pss_sysctl_options.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: templates.gatekeeper.sh/v1
-kind: ConstraintTemplate
-metadata:
- name: psssysctlsoptions
-spec:
- crd:
- spec:
- names:
- kind: PssSysctlsOptions
- targets:
- - target: admission.k8s.gatekeeper.sh
- rego: |
-{{.Files.Get "rego/pss_sysctl_options/policy.rego" | indent 8 }}
--
GitLab