From cfcef15c7e4aee17e65958dfefe85272b1914c2b Mon Sep 17 00:00:00 2001 From: Brandon Booker <bbooker@vt.edu> Date: Tue, 28 Jan 2025 18:58:36 +0000 Subject: [PATCH] PLATFORM-2982 - remove pss policies --- Chart.yaml | 2 +- README.md | 1 - rego/pss_apparmor/policy.rego | 111 --- rego/pss_apparmor/policy_test.rego | 374 ---------- rego/pss_host_namespaces/policy.rego | 139 ---- rego/pss_host_namespaces/policy_test.rego | 421 ----------- rego/pss_hostpath_volumes/policy.rego | 109 --- rego/pss_hostpath_volumes/policy_test.rego | 239 ------- rego/pss_hostports/policy.rego | 108 --- rego/pss_hostports/policy_test.rego | 345 --------- rego/pss_pod_capabilities/policy.rego | 111 --- rego/pss_pod_capabilities/policy_test.rego | 585 --------------- rego/pss_privileged_pods/policy.rego | 106 --- rego/pss_privileged_pods/policy_test.rego | 224 ------ rego/pss_procmounts/policy.rego | 108 --- rego/pss_procmounts/policy_test.rego | 454 ------------ rego/pss_seccomp/policy.rego | 121 ---- rego/pss_seccomp/policy_test.rego | 671 ------------------ rego/pss_selinux/policy.rego | 142 ---- rego/pss_selinux/policy_test.rego | 663 ----------------- rego/pss_sysctl_options/policy.rego | 109 --- rego/pss_sysctl_options/policy_test.rego | 268 ------- .../constraint_template_pss_apparmor.yaml | 13 - ...onstraint_template_pss_host_namespace.yaml | 13 - ...nstraint_template_pss_hostpath_volume.yaml | 13 - .../constraint_template_pss_hostport.yaml | 13 - ...straint_template_pss_pod_capabilities.yaml | 13 - .../constraint_template_pss_privileged.yaml | 13 - .../constraint_template_pss_procmount.yaml | 13 - .../constraint_template_pss_seccomp.yaml | 13 - .../constraint_template_pss_selinux.yaml | 13 - ...onstraint_template_pss_sysctl_options.yaml | 13 - 32 files changed, 1 insertion(+), 5540 deletions(-) delete mode 100644 rego/pss_apparmor/policy.rego delete mode 100644 rego/pss_apparmor/policy_test.rego delete mode 100644 rego/pss_host_namespaces/policy.rego delete mode 100644 rego/pss_host_namespaces/policy_test.rego delete mode 100644 rego/pss_hostpath_volumes/policy.rego delete mode 100644 rego/pss_hostpath_volumes/policy_test.rego delete mode 100644 rego/pss_hostports/policy.rego delete mode 100644 rego/pss_hostports/policy_test.rego delete mode 100644 rego/pss_pod_capabilities/policy.rego delete mode 100644 rego/pss_pod_capabilities/policy_test.rego delete mode 100644 rego/pss_privileged_pods/policy.rego delete mode 100644 rego/pss_privileged_pods/policy_test.rego delete mode 100644 rego/pss_procmounts/policy.rego delete mode 100644 rego/pss_procmounts/policy_test.rego delete mode 100644 rego/pss_seccomp/policy.rego delete mode 100644 rego/pss_seccomp/policy_test.rego delete mode 100644 rego/pss_selinux/policy.rego delete mode 100644 rego/pss_selinux/policy_test.rego delete mode 100644 rego/pss_sysctl_options/policy.rego delete mode 100644 rego/pss_sysctl_options/policy_test.rego delete mode 100644 templates/constraint_template_pss_apparmor.yaml delete mode 100644 templates/constraint_template_pss_host_namespace.yaml delete mode 100644 templates/constraint_template_pss_hostpath_volume.yaml delete mode 100644 templates/constraint_template_pss_hostport.yaml delete mode 100644 templates/constraint_template_pss_pod_capabilities.yaml delete mode 100644 templates/constraint_template_pss_privileged.yaml delete mode 100644 templates/constraint_template_pss_procmount.yaml delete mode 100644 templates/constraint_template_pss_seccomp.yaml delete mode 100644 templates/constraint_template_pss_selinux.yaml delete mode 100644 templates/constraint_template_pss_sysctl_options.yaml diff --git a/Chart.yaml b/Chart.yaml index cc6a546..b33aff3 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 name: constraint-templates -version: 1.7.2 +version: 2.0.0 appVersion: 1.0.0 diff --git a/README.md b/README.md index ffb37cb..496893f 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,6 @@ The following policies are defined within this chart: - `BlockNodePort` - prevents NodePort Services from being defined - `ContainerResourceQuotas` - requires CPU/memory definitions for resource requests and limits - `FluxTenant` - ensures the `serviceAccountName` and `targetNamespace` fields are specified and that the `targetNamespace` matches the namespace on Kustomization and HelmRelease objects, preventing namespace escapes -- `Pss*` - each policy implements one of the policies listed in the [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) ## Development diff --git a/rego/pss_apparmor/policy.rego b/rego/pss_apparmor/policy.rego deleted file mode 100644 index 9d40672..0000000 --- a/rego/pss_apparmor/policy.rego +++ /dev/null @@ -1,111 +0,0 @@ -package pss_apparmor - -apparmor_keys[containerName] = key { - containerName := containers[_].name - key := sprintf("%s/%s", ["container.apparmor.security.beta.kubernetes.io", containerName]) -} - -custom_apparmor_containers[containerName] { - key := apparmor_keys[containerName] - annotation := annotations[_] - val = annotation[key] - val != "runtime/default" - not startswith(val, "localhost/") -} - -violation[msg] { - failedContainer := custom_apparmor_containers[_] - - msg := format(sprintf("Container '%s' of %s '%s' should specify an AppArmor profile", [failedContainer, kind, name])) -} - -################### LIBRARY ################### - -default is_gatekeeper = true - -object = input.review.object { - is_gatekeeper -} - -format(msg) = gatekeeper_format { - is_gatekeeper - gatekeeper_format = {"msg": msg} -} - -name = object.metadata.name - -kind = object.kind - -is_pod { - kind = "Pod" -} - -is_cronjob { - kind = "CronJob" -} - -default is_controller = false - -is_controller { - kind = "Deployment" -} - -is_controller { - kind = "StatefulSet" -} - -is_controller { - kind = "DaemonSet" -} - -is_controller { - kind = "ReplicaSet" -} - -is_controller { - kind = "ReplicationController" -} - -is_controller { - kind = "Job" -} - -pod_containers(pod) = all_containers { - keys = {"containers", "initContainers"} - all_containers = [c | keys[k]; c = pod.spec[k][_]] -} - -containers[container] { - pods[pod] - all_containers = pod_containers(pod) - container = all_containers[_] -} - -containers[container] { - all_containers = pod_containers(object) - container = all_containers[_] -} - -annotations[annotation] { - pods[pod] - annotation = pod.metadata.annotations -} - -pods[pod] { - is_pod - pod = object -} - -pods[pod] { - is_controller - pod = object.spec.template -} - -pods[pod] { - is_cronjob - pod = object.spec.jobTemplate.spec.template -} - -has_field(obj, field) { - obj[field] -} diff --git a/rego/pss_apparmor/policy_test.rego b/rego/pss_apparmor/policy_test.rego deleted file mode 100644 index e199012..0000000 --- a/rego/pss_apparmor/policy_test.rego +++ /dev/null @@ -1,374 +0,0 @@ -package pss_apparmor - -################Helpers############################## - -review_pod(annotations) = out { - out = { - "object": { - "kind": "Pod", - "apiVersion": "v1", - "metadata": { - "name": "my-pod", - "annotations": annotations, - }, - "spec": { - "containers": [ {"name" : "hello"}, ], - }, - } - } -} - -review_deployment(annotations) = out { - out = { - "object": { - "kind": "Deployment", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-deployment", - }, - "spec": { - "template": { - "metadata": { - "annotations": annotations, - }, - "spec": { - "containers": [ {"name" : "hello"}, ], - }, - } - } - } - } -} - -review_daemonset(annotations) = out { - out = { - "object": { - "kind": "DaemonSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-daemonset", - }, - "spec": { - "template": { - "metadata": { - "annotations": annotations, - }, - "spec": { - "containers": [ {"name" : "hello"}, ], - }, - } - } - } - } -} - -review_replicaset(annotations) = out { - out = { - "object": { - "kind": "ReplicaSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-replicaset", - }, - "spec": { - "template": { - "metadata": { - "annotations": annotations, - }, - "spec": { - "containers": [ {"name" : "hello"}, ], - }, - } - } - } - } -} - -review_statefulset(annotations) = out { - out = { - "object": { - "kind": "StatefulSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-statefulset", - }, - "spec": { - "template": { - "metadata": { - "annotations": annotations, - }, - "spec": { - "containers": [ {"name" : "hello"}, ], - }, - } - } - } - } -} - -review_job(annotations) = out { - out = { - "object": { - "kind": "Job", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-job", - }, - "spec": { - "template": { - "metadata": { - "annotations": annotations, - }, - "spec": { - "containers": [ {"name" : "hello"}, ], - }, - } - } - } - } -} - -review_cronjob(annotations) = out { - out = { - "object": { - "kind": "CronJob", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-cronjob", - }, - "spec": { - "jobTemplate": { - "spec" : { - "template": { - "metadata": { - "annotations": annotations, - }, - "spec": { - "containers": [ {"name" : "hello"}, ], - }, - } - } - } - } - } - } -} - -input_obj(review) = out { - out = { - "parameters": {}, - "review": review - } -} - -################Container Tests###################### - -test_not_allowed_apparmor_profile_container_on_pod { - input := input_obj(review_pod({"container.apparmor.security.beta.kubernetes.io/hello":"custom"})) - results := violation with input as input - count(results) == 1 -} - -test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod { - input := input_obj(review_pod({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_localhost_apparmor_profile_container_on_pod { - input := input_obj(review_pod({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_container_on_pod { - input := input_obj(review_pod({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_nill_container_on_pod { - input := input_obj(review_pod(null)) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_apparmor_profile_container_on_deployment { - input := input_obj(review_deployment({"container.apparmor.security.beta.kubernetes.io/hello":"custom"})) - results := violation with input as input - count(results) == 1 -} - -test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod { - input := input_obj(review_deployment({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_localhost_apparmor_profile_container_on_pod { - input := input_obj(review_deployment({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_container_on_deployment { - input := input_obj(review_deployment({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_nill_container_on_deployment { - input := input_obj(review_deployment(null)) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_apparmor_profile_container_on_daemonset { - input := input_obj(review_daemonset({"container.apparmor.security.beta.kubernetes.io/hello":"custom"})) - results := violation with input as input - count(results) == 1 -} - -test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod { - input := input_obj(review_daemonset({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_localhost_apparmor_profile_container_on_pod { - input := input_obj(review_daemonset({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_container_on_daemonset { - input := input_obj(review_daemonset({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_nill_container_on_daemonset { - input := input_obj(review_daemonset(null)) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_apparmor_profile_container_on_replicaset { - input := input_obj(review_replicaset({"container.apparmor.security.beta.kubernetes.io/hello":"custom"})) - results := violation with input as input - count(results) == 1 -} - -test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod { - input := input_obj(review_replicaset({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_localhost_apparmor_profile_container_on_pod { - input := input_obj(review_replicaset({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_container_on_replicaset { - input := input_obj(review_replicaset({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_nill_container_on_replicaset { - input := input_obj(review_replicaset(null)) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_apparmor_profile_container_on_statefulset { - input := input_obj(review_statefulset({"container.apparmor.security.beta.kubernetes.io/hello":"custom"})) - results := violation with input as input - count(results) == 1 -} - -test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod { - input := input_obj(review_statefulset({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_localhost_apparmor_profile_container_on_pod { - input := input_obj(review_statefulset({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_container_on_statefulset { - input := input_obj(review_statefulset({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_nill_container_on_statefulset { - input := input_obj(review_statefulset(null)) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_apparmor_profile_container_on_job { - input := input_obj(review_job({"container.apparmor.security.beta.kubernetes.io/hello":"custom"})) - results := violation with input as input - count(results) == 1 -} - -test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod { - input := input_obj(review_job({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_localhost_apparmor_profile_container_on_pod { - input := input_obj(review_job({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_container_on_job { - input := input_obj(review_job({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_nill_container_on_job { - input := input_obj(review_job(null)) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_apparmor_profile_container_on_cronjob { - input := input_obj(review_cronjob({"container.apparmor.security.beta.kubernetes.io/hello":"custom"})) - results := violation with input as input - count(results) == 1 -} - -test_allowed_when_apparmor_profile_specified_on_nonexisting_container_on_pod { - input := input_obj(review_cronjob({"container.apparmor.security.beta.kubernetes.io/something-else":"custom"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_localhost_apparmor_profile_container_on_pod { - input := input_obj(review_cronjob({"container.apparmor.security.beta.kubernetes.io/hello":"localhost/test"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_container_on_cronjob { - input := input_obj(review_cronjob({"container.apparmor.security.beta.kubernetes.io/hello":"runtime/default"})) - results := violation with input as input - count(results) == 0 -} - -test_allowed_apparmor_profile_nill_container_on_cronjob { - input := input_obj(review_cronjob(null)) - results := violation with input as input - count(results) == 0 -} \ No newline at end of file diff --git a/rego/pss_host_namespaces/policy.rego b/rego/pss_host_namespaces/policy.rego deleted file mode 100644 index 2d6854f..0000000 --- a/rego/pss_host_namespaces/policy.rego +++ /dev/null @@ -1,139 +0,0 @@ -package pss_hostnamespaces - - -violation[msg] { - failHostNetwork - - msg := format(sprintf("%s '%s' should not set 'spec.template.spec.hostNetwork' to true", [kind, name])) -} - -violation[msg] { - failHostIPC - - msg := format(sprintf("%s '%s' should not set 'spec.template.spec.hostIPC' to true", [kind, name])) -} - -violation[msg] { - failHostPID - - msg := format(sprintf("%s '%s' should not set 'spec.template.spec.hostPID' to true", [kind, name])) -} - -# failHostNetwork is true if spec.hostNetwork is set to true (on all controllers) -failHostNetwork { - host_networks[_] == true -} - -# failHostIPC is true if spec.hostIPC is set to true (on all resources) -failHostIPC { - host_ipcs[_] == true -} - -# failHostPID is true if spec.hostPID is set to true (on all controllers) -failHostPID { - host_pids[_] == true -} - - - -################### LIBRARY ################### - - -default is_gatekeeper = true - -object = input.review.object { - is_gatekeeper -} - -format(msg) = gatekeeper_format { - is_gatekeeper - gatekeeper_format = {"msg": msg} -} - -name = object.metadata.name - -kind = object.kind - -is_pod { - kind = "Pod" -} - -is_cronjob { - kind = "CronJob" -} - -default is_controller = false - -is_controller { - kind = "Deployment" -} - -is_controller { - kind = "StatefulSet" -} - -is_controller { - kind = "DaemonSet" -} - -is_controller { - kind = "ReplicaSet" -} - -is_controller { - kind = "ReplicationController" -} - -is_controller { - kind = "Job" -} - -pod_containers(pod) = all_containers { - keys = {"containers", "initContainers"} - all_containers = [c | keys[k]; c = pod.spec[k][_]] -} - -containers[container] { - pods[pod] - all_containers = pod_containers(pod) - container = all_containers[_] -} - -containers[container] { - all_containers = pod_containers(object) - container = all_containers[_] -} - -pods[pod] { - is_pod - pod = object -} - -pods[pod] { - is_controller - pod = object.spec.template -} - -pods[pod] { - is_cronjob - pod = object.spec.jobTemplate.spec.template -} - -has_field(obj, field) { - obj[field] -} - -host_networks[host_network] { - pods[pod] - host_network = pod.spec.hostNetwork -} - -host_ipcs[host_ipc] { - pods[pod] - host_ipc = pod.spec.hostIPC -} - -host_pids[host_pid] { - pods[pod] - host_pid = pod.spec.hostPID -} diff --git a/rego/pss_host_namespaces/policy_test.rego b/rego/pss_host_namespaces/policy_test.rego deleted file mode 100644 index 3b89e8c..0000000 --- a/rego/pss_host_namespaces/policy_test.rego +++ /dev/null @@ -1,421 +0,0 @@ -package pss_hostnamespaces - -test_host_network_on_pod { - pod_spec := {"spec":{"hostNetwork":true}} - input := input_obj(pod_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_network_on_pod { - pod_spec := {"spec":{"hostNetwork":false}} - input := input_obj(pod_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_ipc_on_pod { - pod_spec := {"spec":{"hostIPC":true}} - input := input_obj(pod_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_ipc_on_pod { - pod_spec := {"spec":{"hostIPC":false}} - input := input_obj(pod_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_pid_on_pod { - pod_spec := {"spec":{"hostPID":true}} - input := input_obj(pod_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_pid_on_pod { - pod_spec := {"spec":{"hostPID":false}} - input := input_obj(pod_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_network_on_deployment { - pod_spec := {"spec":{"hostNetwork":true}} - input := input_obj(deployment_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_network_on_deployment { - pod_spec := {"spec":{"hostNetwork":false}} - input := input_obj(deployment_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_ipc_on_deployment { - pod_spec := {"spec":{"hostIPC":true}} - input := input_obj(deployment_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_ipc_on_deployment { - pod_spec := {"spec":{"hostIPC":false}} - input := input_obj(deployment_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_pid_on_deployment { - pod_spec := {"spec":{"hostPID":true}} - input := input_obj(deployment_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_pid_on_deployment { - pod_spec := {"spec":{"hostPID":false}} - input := input_obj(deployment_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_network_on_daemonset { - pod_spec := {"spec":{"hostNetwork":true}} - input := input_obj(daemonset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_network_on_daemonset { - pod_spec := {"spec":{"hostNetwork":false}} - input := input_obj(daemonset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_ipc_on_daemonset { - pod_spec := {"spec":{"hostIPC":true}} - input := input_obj(daemonset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_ipc_on_daemonset { - pod_spec := {"spec":{"hostIPC":false}} - input := input_obj(daemonset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_pid_on_daemonset { - pod_spec := {"spec":{"hostPID":true}} - input := input_obj(daemonset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_pid_on_daemonset { - pod_spec := {"spec":{"hostPID":false}} - input := input_obj(daemonset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_network_on_replicaset { - pod_spec := {"spec":{"hostNetwork":true}} - input := input_obj(replicaset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_network_on_replicaset { - pod_spec := {"spec":{"hostNetwork":false}} - input := input_obj(replicaset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_ipc_on_replicaset { - pod_spec := {"spec":{"hostIPC":true}} - input := input_obj(replicaset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_ipc_on_replicaset { - pod_spec := {"spec":{"hostIPC":false}} - input := input_obj(replicaset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_pid_on_replicaset { - pod_spec := {"spec":{"hostPID":true}} - input := input_obj(replicaset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_pid_on_replicaset { - pod_spec := {"spec":{"hostPID":false}} - input := input_obj(replicaset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_network_on_statefulset { - pod_spec := {"spec":{"hostNetwork":true}} - input := input_obj(statefulset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_network_on_statefulset { - pod_spec := {"spec":{"hostNetwork":false}} - input := input_obj(statefulset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_ipc_on_statefulset { - pod_spec := {"spec":{"hostIPC":true}} - input := input_obj(statefulset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_ipc_on_statefulset { - pod_spec := {"spec":{"hostIPC":false}} - input := input_obj(statefulset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_pid_on_statefulset { - pod_spec := {"spec":{"hostPID":true}} - input := input_obj(statefulset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_pid_on_statefulset { - pod_spec := {"spec":{"hostPID":false}} - input := input_obj(statefulset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_network_on_job { - pod_spec := {"spec":{"hostNetwork":true}} - input := input_obj(job_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_network_on_job { - pod_spec := {"spec":{"hostNetwork":false}} - input := input_obj(job_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_ipc_on_job { - pod_spec := {"spec":{"hostIPC":true}} - input := input_obj(job_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_ipc_on_job { - pod_spec := {"spec":{"hostIPC":false}} - input := input_obj(job_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_pid_on_job { - pod_spec := {"spec":{"hostPID":true}} - input := input_obj(job_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_pid_on_job { - pod_spec := {"spec":{"hostPID":false}} - input := input_obj(job_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_network_on_cronjob { - pod_spec := {"spec":{"hostNetwork":true}} - input := input_obj(cronjob_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_network_on_cronjob { - pod_spec := {"spec":{"hostNetwork":false}} - input := input_obj(cronjob_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_ipc_on_cronjob { - pod_spec := {"spec":{"hostIPC":true}} - input := input_obj(cronjob_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_ipc_on_cronjob { - pod_spec := {"spec":{"hostIPC":false}} - input := input_obj(cronjob_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_host_pid_on_cronjob { - pod_spec := {"spec":{"hostPID":true}} - input := input_obj(cronjob_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_host_pid_on_cronjob { - pod_spec := {"spec":{"hostPID":false}} - input := input_obj(cronjob_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -pod_definition(pod_spec) = out { - out = { - "object": { - "kind": "Pod", - "apiVersion": "v1", - "metadata": { - "name": "my-pod", - }, - "spec": pod_spec.spec - } - } -} - -deployment_definition(pod_spec) = out { - out = { - "object": { - "kind": "Deployment", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-deployment", - }, - "spec": { - "template": { - "spec": pod_spec.spec - } - } - } - } -} - -daemonset_definition(pod_spec) = out { - out = { - "object": { - "kind": "DaemonSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-daemonset", - }, - "spec": { - "template": { - "spec": pod_spec.spec - } - } - } - } -} - -replicaset_definition(pod_spec) = out { - out = { - "object": { - "kind": "ReplicaSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-replicaset", - }, - "spec": { - "template": { - "spec": pod_spec.spec - } - } - } - } -} - -statefulset_definition(pod_spec) = out { - out = { - "object": { - "kind": "StatefulSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-statefulset", - }, - "spec": { - "template": { - "spec": pod_spec.spec - } - } - } - } -} - -job_definition(pod_spec) = out { - out = { - "object": { - "kind": "Job", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-job", - }, - "spec": { - "template": { - "spec": pod_spec.spec - } - } - } - } -} - -cronjob_definition(pod_spec) = out { - out = { - "object": { - "kind": "CronJob", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-cronjob", - }, - "spec": { - "jobTemplate": { - "spec" : { - "template": { - "spec": pod_spec.spec - } - } - } - } - } - } -} - -input_obj(review) = out { - out = { - "parameters": {}, - "review": review - } -} diff --git a/rego/pss_hostpath_volumes/policy.rego b/rego/pss_hostpath_volumes/policy.rego deleted file mode 100644 index 75e9ec2..0000000 --- a/rego/pss_hostpath_volumes/policy.rego +++ /dev/null @@ -1,109 +0,0 @@ -package pss_hostpathvolumes - - -violation[msg] { - failHostPathVolume - - msg := format(sprintf("%s '%s' should not set 'spec.template.volumes.hostPath'", [kind, name])) -} - -failHostPathVolume { - allVolumes := volumes - has_key(allVolumes[_], "hostPath") -} - - -################### LIBRARY ################### - -default is_gatekeeper = true - -object = input.review.object { - is_gatekeeper -} - -format(msg) = gatekeeper_format { - is_gatekeeper - gatekeeper_format = {"msg": msg} -} - -name = object.metadata.name - -kind = object.kind - -is_pod { - kind = "Pod" -} - -is_cronjob { - kind = "CronJob" -} - -default is_controller = false - -is_controller { - kind = "Deployment" -} - -is_controller { - kind = "StatefulSet" -} - -is_controller { - kind = "DaemonSet" -} - -is_controller { - kind = "ReplicaSet" -} - -is_controller { - kind = "ReplicationController" -} - -is_controller { - kind = "Job" -} - -pod_containers(pod) = all_containers { - keys = {"containers", "initContainers", "ephemeralContainers"} - all_containers = [c | keys[k]; c = pod.spec[k][_]] -} - -containers[container] { - pods[pod] - all_containers = pod_containers(pod) - container = all_containers[_] -} - -containers[container] { - all_containers = pod_containers(object) - container = all_containers[_] -} - -pods[pod] { - is_pod - pod = object -} - -pods[pod] { - is_controller - pod = object.spec.template -} - -pods[pod] { - is_cronjob - pod = object.spec.jobTemplate.spec.template -} - -volumes[volume] { - pods[pod] - volume = pod.spec.volumes[_] -} - -has_field(obj, field) { - obj[field] -} - -has_key(x, k) { - _ = x[k] -} diff --git a/rego/pss_hostpath_volumes/policy_test.rego b/rego/pss_hostpath_volumes/policy_test.rego deleted file mode 100644 index b3e47b4..0000000 --- a/rego/pss_hostpath_volumes/policy_test.rego +++ /dev/null @@ -1,239 +0,0 @@ -package pss_hostpathvolumes - -test_hostpath_on_pod { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]} - input := input_obj(pod_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_hostpath_on_pod { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":"{}"}]} - input := input_obj(pod_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_hostpath_on_deployment { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]} - input := input_obj(deployment_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_hostpath_on_deployment { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]} - input := input_obj(deployment_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_hostpath_on_daemonset { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]} - input := input_obj(daemonset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_hostpath_on_daemonset { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]} - input := input_obj(daemonset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_hostpath_on_replicaset { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]} - input := input_obj(replicaset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_hostpath_on_replicaset { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]} - input := input_obj(replicaset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_hostpath_on_statefulset { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]} - input := input_obj(statefulset_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_hostpath_on_statefulset { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]} - input := input_obj(statefulset_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_hostpath_on_job { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]} - input := input_obj(job_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_hostpath_on_job { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]} - input := input_obj(job_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -test_hostpath_on_cronjob { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}},{"name":"test-volume","hostPath":{"path":"/data","type":"Directory"}}]} - input := input_obj(cronjob_definition(pod_spec)) - results := violation with input as input - count(results) == 1 -} - -test_no_hostpath_on_cronjob { - pod_spec := {"volumes":[{"name":"cache-volume","emptyDir":{}}]} - input := input_obj(cronjob_definition(pod_spec)) - results := violation with input as input - count(results) == 0 -} - -pod_definition(pod_spec) = out { - out = { - "object": { - "kind": "Pod", - "apiVersion": "v1", - "metadata": { - "name": "my-pod", - }, - "spec": { - "volumes": pod_spec.volumes - } - } - } -} - -deployment_definition(pod_spec) = out { - out = { - "object": { - "kind": "Deployment", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-deployment", - }, - "spec": { - "template": { - "spec": { - "volumes": pod_spec.volumes - } - } - } - } - } -} - -daemonset_definition(pod_spec) = out { - out = { - "object": { - "kind": "DaemonSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-daemonset", - }, - "spec": { - "template": { - "spec": { - "volumes": pod_spec.volumes - } - } - } - } - } -} - -replicaset_definition(pod_spec) = out { - out = { - "object": { - "kind": "ReplicaSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-replicaset", - }, - "spec": { - "template": { - "spec": { - "volumes": pod_spec.volumes - } - } - } - } - } -} - -statefulset_definition(pod_spec) = out { - out = { - "object": { - "kind": "StatefulSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-statefulset", - }, - "spec": { - "template": { - "spec": { - "volumes": pod_spec.volumes - } - } - } - } - } -} - -job_definition(pod_spec) = out { - out = { - "object": { - "kind": "Job", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-job", - }, - "spec": { - "template": { - "spec": { - "volumes": pod_spec.volumes - } - } - } - } - } -} - -cronjob_definition(pod_spec) = out { - out = { - "object": { - "kind": "CronJob", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-cronjob", - }, - "spec": { - "jobTemplate": { - "spec" : { - "template": { - "spec": { - "volumes": pod_spec.volumes - } - } - } - } - } - } - } -} - -input_obj(review) = out { - out = { - "parameters": {}, - "review": review - } -} diff --git a/rego/pss_hostports/policy.rego b/rego/pss_hostports/policy.rego deleted file mode 100644 index c5399d3..0000000 --- a/rego/pss_hostports/policy.rego +++ /dev/null @@ -1,108 +0,0 @@ -package pss_hostports - - -violation[msg] { - failHostPorts := getContainersWithHostPorts - count(failHostPorts) > 0 - - msg := format(sprintf("Container '%s' of %s '%s' should not set host ports", [failHostPorts[_], kind, name])) - -} - -getContainersWithHostPorts[container] { - allContainers := containers[_] - hostport_present := allContainers.ports[_].hostPort - container := allContainers.name -} - - - - - - -################### LIBRARY ################### - - -default is_gatekeeper = true - -object = input.review.object { - is_gatekeeper -} - -format(msg) = gatekeeper_format { - is_gatekeeper - gatekeeper_format = {"msg": msg} -} - -name = object.metadata.name - -kind = object.kind - -is_pod { - kind = "Pod" -} - -is_cronjob { - kind = "CronJob" -} - -default is_controller = false - -is_controller { - kind = "Deployment" -} - -is_controller { - kind = "StatefulSet" -} - -is_controller { - kind = "DaemonSet" -} - -is_controller { - kind = "ReplicaSet" -} - -is_controller { - kind = "ReplicationController" -} - -is_controller { - kind = "Job" -} - -pod_containers(pod) = all_containers { - keys = {"containers", "initContainers"} - all_containers = [c | keys[k]; c = pod.spec[k][_]] -} - -containers[container] { - pods[pod] - all_containers = pod_containers(pod) - container = all_containers[_] -} - -containers[container] { - all_containers = pod_containers(object) - container = all_containers[_] -} - -pods[pod] { - is_pod - pod = object -} - -pods[pod] { - is_controller - pod = object.spec.template -} - -pods[pod] { - is_cronjob - pod = object.spec.jobTemplate.spec.template -} - -has_field(obj, field) { - obj[field] -} diff --git a/rego/pss_hostports/policy_test.rego b/rego/pss_hostports/policy_test.rego deleted file mode 100644 index c9f47a5..0000000 --- a/rego/pss_hostports/policy_test.rego +++ /dev/null @@ -1,345 +0,0 @@ -package pss_hostports - -test_container_with_hostport_on_pod { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_pod(pod_spec(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_hostport_on_pod { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_pod(pod_spec(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_hostport_on_deployment { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_deployment(pod_spec(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_hostport_on_deployment { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_deployment(pod_spec(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_hostport_on_daemonset { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_daemonset(pod_spec(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_hostport_on_daemonset { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_daemonset(pod_spec(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_hostport_on_replicaset { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_replicaset(pod_spec(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_hostport_on_replicaset { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_replicaset(pod_spec(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_hostport_on_statefulset { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_statefulset(pod_spec(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_hostport_on_statefulset { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_statefulset(pod_spec(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_hostport_on_job { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_job(pod_spec(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_hostport_on_job { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_job(pod_spec(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_hostport_on_cronjob { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_cronjob(pod_spec(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_hostport_on_cronjob { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_cronjob(pod_spec(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_hostport_on_pod { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_pod(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_hostport_on_pod { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_pod(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_hostport_on_deployment { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_deployment(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_hostport_on_deployment { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_deployment(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_hostport_on_daemonset { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_daemonset(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_hostport_on_daemonset { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_daemonset(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_hostport_on_replicaset { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_replicaset(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_hostport_on_replicaset { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_replicaset(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_hostport_on_statefulset { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_statefulset(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_hostport_on_statefulset { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_statefulset(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_hostport_on_job { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_job(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_hostport_on_job { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_job(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_hostport_on_cronjob { - container_ports := {"ports":[{"containerPort": 80, "hostPort": 80}]} - input := input_obj(review_cronjob(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_hostport_on_cronjob { - container_ports := {"ports":[{"containerPort": 80}]} - input := input_obj(review_cronjob(pod_spec_init_containers(container_ports))) - results := violation with input as input - count(results) == 0 -} - -review_pod(pod_spec) = out { - out = { - "object": { - "kind": "Pod", - "apiVersion": "v1", - "metadata": { - "name": "my-pod", - }, - "spec": pod_spec - } - } -} - -review_deployment(pod_spec) = out { - out = { - "object": { - "kind": "Deployment", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-deployment", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_daemonset(pod_spec) = out { - out = { - "object": { - "kind": "DaemonSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-daemonset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_replicaset(pod_spec) = out { - out = { - "object": { - "kind": "ReplicaSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-replicaset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_statefulset(pod_spec) = out { - out = { - "object": { - "kind": "StatefulSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-statefulset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_job(pod_spec) = out { - out = { - "object": { - "kind": "Job", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-job", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_cronjob(pod_spec) = out { - out = { - "object": { - "kind": "CronJob", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-cronjob", - }, - "spec": { - "jobTemplate": { - "spec" : { - "template": { - "spec": pod_spec - } - } - } - } - } - } -} - -pod_spec(container_ports) = out { - out = { - "containers": [ - { - "name": "container1", - "ports": container_ports.ports - } - ] - } -} - -pod_spec_init_containers(container_ports) = out { - out = { - "initContainers": [ - { - "name": "container1", - "ports": container_ports.ports - } - ] - } -} - -input_obj(review) = out { - out = { - "parameters": {}, - "review": review - } -} diff --git a/rego/pss_pod_capabilities/policy.rego b/rego/pss_pod_capabilities/policy.rego deleted file mode 100644 index 33c21c0..0000000 --- a/rego/pss_pod_capabilities/policy.rego +++ /dev/null @@ -1,111 +0,0 @@ -package pss_podcapabilities - - -violation[msg] { - failedContainers := getContainersWithDisallowedCaps - count(failedContainers) > 0 - - msg := format(sprintf("Container '%s' of %s '%s' should not set 'securityContext.capabilities.add'%s", [failedContainers[_], kind, name, caps_msg])) -} - -allowed_caps := {"AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"} - -getContainersWithDisallowedCaps[container] { - allContainers := containers[_] - set_caps := {cap | cap := allContainers.securityContext.capabilities.add[_]} - caps_not_allowed := set_caps - allowed_caps - count(caps_not_allowed) > 0 - container := allContainers.name -} - -caps_msg = "" { - count(allowed_caps) == 0 -} else = msg { - msg := sprintf(" or set it to the following allowed values: %s", [concat(", ", allowed_caps)]) -} - -################### LIBRARY ################### - -default is_gatekeeper = true - -object = input.review.object { - is_gatekeeper -} - -format(msg) = gatekeeper_format { - is_gatekeeper - gatekeeper_format = {"msg": msg} -} - -name = object.metadata.name - -kind = object.kind - -is_pod { - kind = "Pod" -} - -is_cronjob { - kind = "CronJob" -} - -default is_controller = false - -is_controller { - kind = "Deployment" -} - -is_controller { - kind = "StatefulSet" -} - -is_controller { - kind = "DaemonSet" -} - -is_controller { - kind = "ReplicaSet" -} - -is_controller { - kind = "ReplicationController" -} - -is_controller { - kind = "Job" -} - -pod_containers(pod) = all_containers { - keys = {"containers", "initContainers", "ephemeralContainers"} - all_containers = [c | keys[k]; c = pod.spec[k][_]] -} - -containers[container] { - pods[pod] - all_containers = pod_containers(pod) - container = all_containers[_] -} - -containers[container] { - all_containers = pod_containers(object) - container = all_containers[_] -} - -pods[pod] { - is_pod - pod = object -} - -pods[pod] { - is_controller - pod = object.spec.template -} - -pods[pod] { - is_cronjob - pod = object.spec.jobTemplate.spec.template -} - -has_field(obj, field) { - obj[field] -} diff --git a/rego/pss_pod_capabilities/policy_test.rego b/rego/pss_pod_capabilities/policy_test.rego deleted file mode 100644 index ca76c10..0000000 --- a/rego/pss_pod_capabilities/policy_test.rego +++ /dev/null @@ -1,585 +0,0 @@ -package pss_podcapabilities - -################Helpers############################## - -review_pod(pod_spec) = out { - out = { - "object": { - "kind": "Pod", - "apiVersion": "v1", - "metadata": { - "name": "my-pod", - }, - "spec": pod_spec - } - } -} - -review_deployment(pod_spec) = out { - out = { - "object": { - "kind": "Deployment", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-deployment", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_daemonset(pod_spec) = out { - out = { - "object": { - "kind": "DaemonSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-daemonset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_replicaset(pod_spec) = out { - out = { - "object": { - "kind": "ReplicaSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-replicaset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_statefulset(pod_spec) = out { - out = { - "object": { - "kind": "StatefulSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-statefulset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_job(pod_spec) = out { - out = { - "object": { - "kind": "Job", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-job", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_cronjob(pod_spec) = out { - out = { - "object": { - "kind": "CronJob", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-cronjob", - }, - "spec": { - "jobTemplate": { - "spec" : { - "template": { - "spec": pod_spec - } - } - } - } - } - } -} - -pod_spec(capabilities) = out { - out = { - "containers": [ - { - "name": "container1", - "securityContext": { - "capabilities": { - "add": capabilities - } - } - } - ] - } -} - -pod_init_container_spec(capabilities) = out { - out = { - "initContainers": [ - { - "name": "container1", - "securityContext": { - "capabilities": { - "add": capabilities - } - } - } - ] - } -} - -pod_ephemeral_container_spec(capabilities) = out { - out = { - "ephemeralContainers": [ - { - "name": "container1", - "securityContext": { - "capabilities": { - "add": capabilities - } - } - } - ] - } -} - -input_obj(review) = out { - out = { - "parameters": {}, - "review": review - } -} - -################Container Tests###################### - -test_not_allowed_cap_container_on_pod { - input := input_obj(review_pod(pod_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_pod { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_pod(pod_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_pod(pod_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_deployment { - cap_list := ["SYS_TIME"] - input := input_obj(review_deployment(pod_spec(cap_list))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_deployment { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_deployment(pod_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_deployment(pod_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_daemonset { - cap_list := ["SYS_TIME"] - input := input_obj(review_daemonset(pod_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_daemonset { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_daemonset(pod_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_daemonset(pod_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_replicaset { - input := input_obj(review_replicaset(pod_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_replicaset { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_replicaset(pod_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_replicaset(pod_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_statefulset { - input := input_obj(review_statefulset(pod_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_statefulset { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_statefulset(pod_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_statefulset(pod_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_job { - input := input_obj(review_job(pod_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_jobt { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_job(pod_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_job(pod_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_cronjob { - input := input_obj(review_cronjob(pod_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_cronjob { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_cronjob(pod_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_cronjob(pod_spec(null))) - results := violation with input as input - count(results) == 0 -} - -################Init Container Tests###################### - -test_not_allowed_cap_container_on_pod { - input := input_obj(review_pod(pod_init_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_pod { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_pod(pod_init_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_pod(pod_init_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_deployment { - cap_list := ["SYS_TIME"] - input := input_obj(review_deployment(pod_init_container_spec(cap_list))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_deployment { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_deployment(pod_init_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_deployment(pod_init_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_daemonset { - cap_list := ["SYS_TIME"] - input := input_obj(review_daemonset(pod_init_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_daemonset { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_daemonset(pod_init_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_daemonset(pod_init_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_replicaset { - input := input_obj(review_replicaset(pod_init_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_replicaset { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_replicaset(pod_init_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_replicaset(pod_init_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_statefulset { - input := input_obj(review_statefulset(pod_init_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_statefulset { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_statefulset(pod_init_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_statefulset(pod_init_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_job { - input := input_obj(review_job(pod_init_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_jobt { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_job(pod_init_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_job(pod_init_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_cronjob { - input := input_obj(review_cronjob(pod_init_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_cronjob { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_cronjob(pod_init_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_cronjob(pod_init_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -################Ephemeral Container Tests###################### - -test_not_allowed_cap_container_on_pod { - input := input_obj(review_pod(pod_ephemeral_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_pod { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_pod(pod_ephemeral_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_pod(pod_ephemeral_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_deployment { - cap_list := ["SYS_TIME"] - input := input_obj(review_deployment(pod_ephemeral_container_spec(cap_list))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_deployment { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_deployment(pod_ephemeral_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_deployment(pod_ephemeral_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_daemonset { - cap_list := ["SYS_TIME"] - input := input_obj(review_daemonset(pod_ephemeral_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_daemonset { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_daemonset(pod_ephemeral_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_daemonset(pod_ephemeral_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_replicaset { - input := input_obj(review_replicaset(pod_ephemeral_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_replicaset { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_replicaset(pod_ephemeral_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_replicaset(pod_ephemeral_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_statefulset { - input := input_obj(review_statefulset(pod_ephemeral_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_statefulset { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_statefulset(pod_ephemeral_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_statefulset(pod_ephemeral_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_job { - input := input_obj(review_job(pod_ephemeral_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_jobt { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_job(pod_ephemeral_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_job(pod_ephemeral_container_spec(null))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_cap_on_cronjob { - input := input_obj(review_cronjob(pod_ephemeral_container_spec(["SYS_TIME"]))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_cap_container_on_cronjob { - cap_list := ["AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT"] - input := input_obj(review_cronjob(pod_ephemeral_container_spec(cap_list))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_cap_nill_container_on_pod { - input := input_obj(review_cronjob(pod_ephemeral_container_spec(null))) - results := violation with input as input - count(results) == 0 -} \ No newline at end of file diff --git a/rego/pss_privileged_pods/policy.rego b/rego/pss_privileged_pods/policy.rego deleted file mode 100644 index 8af891a..0000000 --- a/rego/pss_privileged_pods/policy.rego +++ /dev/null @@ -1,106 +0,0 @@ -package pss_privilegedpods - - -violation[msg] { - failedContainers := getPrivilegedContainers - count(failedContainers) > 0 - - msg := format(sprintf("Container '%s' of %s '%s' should set 'securityContext.privileged' to false", [failedContainers[_], kind, name])) -} - -getPrivilegedContainers[container] { - allContainers := containers[_] - allContainers.securityContext.privileged == true - container := allContainers.name -} - - - - - -################### LIBRARY ################### - - -default is_gatekeeper = true - -object = input.review.object { - is_gatekeeper -} - -format(msg) = gatekeeper_format { - is_gatekeeper - gatekeeper_format = {"msg": msg} -} - -name = object.metadata.name - -kind = object.kind - -is_pod { - kind = "Pod" -} - -is_cronjob { - kind = "CronJob" -} - -default is_controller = false - -is_controller { - kind = "Deployment" -} - -is_controller { - kind = "StatefulSet" -} - -is_controller { - kind = "DaemonSet" -} - -is_controller { - kind = "ReplicaSet" -} - -is_controller { - kind = "ReplicationController" -} - -is_controller { - kind = "Job" -} - -pod_containers(pod) = all_containers { - keys = {"containers", "initContainers"} - all_containers = [c | keys[k]; c = pod.spec[k][_]] -} - -containers[container] { - pods[pod] - all_containers = pod_containers(pod) - container = all_containers[_] -} - -containers[container] { - all_containers = pod_containers(object) - container = all_containers[_] -} - -pods[pod] { - is_pod - pod = object -} - -pods[pod] { - is_controller - pod = object.spec.template -} - -pods[pod] { - is_cronjob - pod = object.spec.jobTemplate.spec.template -} - -has_field(obj, field) { - obj[field] -} diff --git a/rego/pss_privileged_pods/policy_test.rego b/rego/pss_privileged_pods/policy_test.rego deleted file mode 100644 index 29894cd..0000000 --- a/rego/pss_privileged_pods/policy_test.rego +++ /dev/null @@ -1,224 +0,0 @@ -package pss_privilegedpods - -test_privileged_container_on_pod { - input := input_obj(review_pod(pod_spec(true))) - results := violation with input as input - count(results) == 1 -} - -test_unprivileged_container_on_pod { - input := input_obj(review_pod(pod_spec(false))) - results := violation with input as input - count(results) == 0 -} - -test_privileged_container_on_deployment { - input := input_obj(review_deployment(pod_spec(true))) - results := violation with input as input - count(results) == 1 -} - -test_unprivileged_container_on_deployment { - input := input_obj(review_deployment(pod_spec(false))) - results := violation with input as input - count(results) == 0 -} - -test_privileged_container_on_daemonset { - input := input_obj(review_daemonset(pod_spec(true))) - results := violation with input as input - count(results) == 1 -} - -test_unprivileged_container_on_daemonset { - input := input_obj(review_daemonset(pod_spec(false))) - results := violation with input as input - count(results) == 0 -} - -test_privileged_container_on_replicaset { - input := input_obj(review_replicaset(pod_spec(true))) - results := violation with input as input - count(results) == 1 -} - -test_unprivileged_container_on_replicaset { - input := input_obj(review_replicaset(pod_spec(false))) - results := violation with input as input - count(results) == 0 -} - -test_privileged_container_on_statefulset { - input := input_obj(review_statefulset(pod_spec(true))) - results := violation with input as input - count(results) == 1 -} - -test_unprivileged_container_on_statefulset { - input := input_obj(review_statefulset(pod_spec(false))) - results := violation with input as input - count(results) == 0 -} - -test_privileged_container_on_job { - input := input_obj(review_job(pod_spec(true))) - results := violation with input as input - count(results) == 1 -} - -test_unprivileged_container_on_jobt { - input := input_obj(review_job(pod_spec(false))) - results := violation with input as input - count(results) == 0 -} - -test_privileged_container_on_cronjob { - input := input_obj(review_cronjob(pod_spec(true))) - results := violation with input as input - count(results) == 1 -} - -test_unprivileged_container_on_cronjob { - input := input_obj(review_cronjob(pod_spec(false))) - results := violation with input as input - count(results) == 0 -} - -review_pod(pod_spec) = out { - out = { - "object": { - "kind": "Pod", - "apiVersion": "v1", - "metadata": { - "name": "my-pod", - }, - "spec": pod_spec - } - } -} - -review_deployment(pod_spec) = out { - out = { - "object": { - "kind": "Deployment", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-deployment", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_daemonset(pod_spec) = out { - out = { - "object": { - "kind": "DaemonSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-daemonset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_replicaset(pod_spec) = out { - out = { - "object": { - "kind": "ReplicaSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-replicaset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_statefulset(pod_spec) = out { - out = { - "object": { - "kind": "StatefulSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-statefulset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_job(pod_spec) = out { - out = { - "object": { - "kind": "Job", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-job", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_cronjob(pod_spec) = out { - out = { - "object": { - "kind": "CronJob", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-cronjob", - }, - "spec": { - "jobTemplate": { - "spec" : { - "template": { - "spec": pod_spec - } - } - } - } - } - } -} - -pod_spec(allow_privileged) = out { - out = { - "containers": [ - { - "name": "container1", - "securityContext": { - "privileged": allow_privileged - } - } - ] - } -} - -input_obj(review) = out { - out = { - "parameters": {}, - "review": review - } -} diff --git a/rego/pss_procmounts/policy.rego b/rego/pss_procmounts/policy.rego deleted file mode 100644 index d1c9ab0..0000000 --- a/rego/pss_procmounts/policy.rego +++ /dev/null @@ -1,108 +0,0 @@ -package pss_procmounts - - -violation[msg] { - failProcMountOpts - - msg := format(sprintf("%s '%s' should not set 'spec.containers[*].securityContext.procMount' or 'spec.initContainers[*].securityContext.procMount'", [kind, name])) -} - -failProcMountOpts { - allContainers := containers[_] - has_key(allContainers.securityContext, "procMount") -} - - - - - -################### LIBRARY ################### - - -default is_gatekeeper = true - -object = input.review.object { - is_gatekeeper -} - -format(msg) = gatekeeper_format { - is_gatekeeper - gatekeeper_format = {"msg": msg} -} - -name = object.metadata.name - -kind = object.kind - -is_pod { - kind = "Pod" -} - -is_cronjob { - kind = "CronJob" -} - -default is_controller = false - -is_controller { - kind = "Deployment" -} - -is_controller { - kind = "StatefulSet" -} - -is_controller { - kind = "DaemonSet" -} - -is_controller { - kind = "ReplicaSet" -} - -is_controller { - kind = "ReplicationController" -} - -is_controller { - kind = "Job" -} - -pod_containers(pod) = all_containers { - keys = {"containers", "initContainers", "ephemeralContainers"} - all_containers = [c | keys[k]; c = pod.spec[k][_]] -} - -containers[container] { - pods[pod] - all_containers = pod_containers(pod) - container = all_containers[_] -} - -containers[container] { - all_containers = pod_containers(object) - container = all_containers[_] -} - -pods[pod] { - is_pod - pod = object -} - -pods[pod] { - is_controller - pod = object.spec.template -} - -pods[pod] { - is_cronjob - pod = object.spec.jobTemplate.spec.template -} - -has_field(obj, field) { - obj[field] -} - -has_key(x, k) { - _ = x[k] -} diff --git a/rego/pss_procmounts/policy_test.rego b/rego/pss_procmounts/policy_test.rego deleted file mode 100644 index 8b99b6d..0000000 --- a/rego/pss_procmounts/policy_test.rego +++ /dev/null @@ -1,454 +0,0 @@ -package pss_procmounts - -test_container_with_procmount_on_pod { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_pod(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_procmount_on_pod { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_pod(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_procmount_on_deployment { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_deployment(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_procmount_on_deployment { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_deployment(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_procmount_on_daemonset { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_daemonset(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_procmount_on_daemonset { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_daemonset(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_procmount_on_replicaset { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_replicaset(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_procmount_on_replicaset { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_replicaset(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_procmount_on_statefulset { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_statefulset(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_procmount_on_statefulset { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_statefulset(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_procmount_on_job { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_job(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_procmount_on_jobt { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_job(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_procmount_on_cronjob { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_cronjob(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_procmount_on_cronjob { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_cronjob(pod_spec(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_procmount_on_pod { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_pod(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_procmount_on_pod { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_pod(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_procmount_on_deployment { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_deployment(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_procmount_on_deployment { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_deployment(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_procmount_on_daemonset { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_daemonset(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_procmount_on_daemonset { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_daemonset(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_procmount_on_replicaset { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_replicaset(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_procmount_on_replicaset { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_replicaset(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_procmount_on_statefulset { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_statefulset(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_procmount_on_statefulset { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_statefulset(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_procmount_on_job { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_job(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_procmount_on_jobt { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_job(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_procmount_on_cronjob { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_cronjob(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_procmount_on_cronjob { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_cronjob(pod_spec_init_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_procmount_on_pod { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_pod(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_procmount_on_pod { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_pod(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_procmount_on_deployment { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_procmount_on_deployment { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_procmount_on_daemonset { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_procmount_on_daemonset { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_procmount_on_replicaset { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_procmount_on_replicaset { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_procmount_on_statefulset { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_procmount_on_statefulset { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_procmount_on_job { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_job(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_procmount_on_jobt { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_job(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_procmount_on_cronjob { - container_securitycontext := {"securityContext":{"procMount": "Unmasked"}} - input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_procmount_on_cronjob { - container_securitycontext := {"securityContext":{}} - input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_securitycontext))) - results := violation with input as input - count(results) == 0 -} - -review_pod(pod_spec) = out { - out = { - "object": { - "kind": "Pod", - "apiVersion": "v1", - "metadata": { - "name": "my-pod", - }, - "spec": pod_spec - } - } -} - -review_deployment(pod_spec) = out { - out = { - "object": { - "kind": "Deployment", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-deployment", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_daemonset(pod_spec) = out { - out = { - "object": { - "kind": "DaemonSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-daemonset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_replicaset(pod_spec) = out { - out = { - "object": { - "kind": "ReplicaSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-replicaset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_statefulset(pod_spec) = out { - out = { - "object": { - "kind": "StatefulSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-statefulset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_job(pod_spec) = out { - out = { - "object": { - "kind": "Job", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-job", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_cronjob(pod_spec) = out { - out = { - "object": { - "kind": "CronJob", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-cronjob", - }, - "spec": { - "jobTemplate": { - "spec" : { - "template": { - "spec": pod_spec - } - } - } - } - } - } -} - -pod_spec(container_securitycontext) = out { - out = { - "containers": [ - { - "name": "container1", - "securityContext": container_securitycontext.securityContext - } - ] - } -} - -pod_spec_init_containers(container_securitycontext) = out { - out = { - "initContainers": [ - { - "name": "container1", - "securityContext": container_securitycontext.securityContext - } - ] - } -} - -pod_spec_ephemeral_containers(container_securitycontext) = out { - out = { - "ephemeralContainers": [ - { - "name": "container1", - "securityContext": container_securitycontext.securityContext - } - ] - } -} - -input_obj(review) = out { - out = { - "parameters": {}, - "review": review - } -} diff --git a/rego/pss_seccomp/policy.rego b/rego/pss_seccomp/policy.rego deleted file mode 100644 index f66a0a6..0000000 --- a/rego/pss_seccomp/policy.rego +++ /dev/null @@ -1,121 +0,0 @@ -package pss_seccomp - -violation[msg] { - failSeccompProfileType - - msg := format(sprintf("%s '%s' should set 'spec.securityContext.seccompProfile.type' to 'RuntimeDefault'", [kind, name])) -} - -violation[msg] { - count(getContainersWithDisallowedSeccompProfileType) > 0 - - msg := format(sprintf("Container '%s' of %s '%s' should set 'spec.containers[*].securityContext.seccompProfile.type' to 'RuntimeDefault'", [getContainersWithDisallowedSeccompProfileType[_], kind, name])) -} - -failSeccompProfileType { - pod := pods[_] - type := pod.spec.securityContext.seccompProfile.type - not type == "RuntimeDefault" -} - -getContainersWithDisallowedSeccompProfileType[name] { - container := containers[_] - type := container.securityContext.seccompProfile.type - not type == "RuntimeDefault" - name := container.name -} - - - - - -################### LIBRARY ################### - - -default is_gatekeeper = true - -object = input.review.object { - is_gatekeeper -} - -format(msg) = gatekeeper_format { - is_gatekeeper - gatekeeper_format = {"msg": msg} -} - -name = object.metadata.name - -kind = object.kind - -is_pod { - kind = "Pod" -} - -is_cronjob { - kind = "CronJob" -} - -default is_controller = false - -is_controller { - kind = "Deployment" -} - -is_controller { - kind = "StatefulSet" -} - -is_controller { - kind = "DaemonSet" -} - -is_controller { - kind = "ReplicaSet" -} - -is_controller { - kind = "ReplicationController" -} - -is_controller { - kind = "Job" -} - -pod_containers(pod) = all_containers { - keys = {"containers", "initContainers", "ephemeralContainers"} - all_containers = [c | keys[k]; c = pod.spec[k][_]] -} - -containers[container] { - pods[pod] - all_containers = pod_containers(pod) - container = all_containers[_] -} - -containers[container] { - all_containers = pod_containers(object) - container = all_containers[_] -} - -pods[pod] { - is_pod - pod = object -} - -pods[pod] { - is_controller - pod = object.spec.template -} - -pods[pod] { - is_cronjob - pod = object.spec.jobTemplate.spec.template -} - -has_field(obj, field) { - obj[field] -} - -has_key(x, k) { - _ = x[k] -} diff --git a/rego/pss_seccomp/policy_test.rego b/rego/pss_seccomp/policy_test.rego deleted file mode 100644 index 80cb5d0..0000000 --- a/rego/pss_seccomp/policy_test.rego +++ /dev/null @@ -1,671 +0,0 @@ -package pss_seccomp - -test_unconfined_seccomp_on_pod { - pod_seccomp := {"type": "Unconfined"} - input := input_obj(review_pod(pod_spec_seccomp(pod_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_no_unconfined_seccomp_on_pod { - pod_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_pod(pod_spec_seccomp(pod_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_no_securitycontext_on_pod { - input := input_obj(review_pod(pod_spec_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_unconfined_seccomp_on_pod { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_pod(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_unconfined_seccomp_on_pod { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_pod(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_no_securitycontext_on_pod { - input := input_obj(review_pod(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_unconfined_seccomp_on_deployment { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_deployment(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_unconfined_seccomp_on_deployment { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_deployment(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_no_securitycontext_on_deployment { - input := input_obj(review_deployment(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_unconfined_seccomp_on_daemonset { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_daemonset(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_unconfined_seccomp_on_daemonset { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_daemonset(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_no_securitycontext_on_daemonset { - input := input_obj(review_daemonset(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_unconfined_seccomp_on_replicaset { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_replicaset(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_unconfined_seccomp_on_replicaset { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_replicaset(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_no_securitycontext_on_replicaset { - input := input_obj(review_replicaset(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_unconfined_seccomp_on_statefulset { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_statefulset(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_unconfined_seccomp_on_statefulset { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_statefulset(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_no_securitycontext_on_statefulset { - input := input_obj(review_statefulset(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_unconfined_seccomp_on_job { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_job(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_unconfined_seccomp_on_job { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_job(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_no_securitycontext_on_job { - input := input_obj(review_job(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_unconfined_seccomp_on_cronjob { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_cronjob(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_no_unconfined_seccomp_on_cronjob { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_cronjob(pod_spec(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_container_with_no_securitycontext_on_cronjob { - input := input_obj(review_cronjob(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_unconfined_seccomp_on_pod { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_pod(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_unconfined_seccomp_on_pod { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_pod(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_no_securitycontext_on_pod { - input := input_obj(review_pod(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_unconfined_seccomp_on_deployment { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_deployment(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_unconfined_seccomp_on_deployment { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_deployment(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_no_securitycontext_on_deployment { - input := input_obj(review_deployment(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_unconfined_seccomp_on_daemonset { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_daemonset(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_unconfined_seccomp_on_daemonset { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_daemonset(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_no_securitycontext_on_daemonset { - input := input_obj(review_daemonset(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_unconfined_seccomp_on_replicaset { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_replicaset(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_unconfined_seccomp_on_replicaset { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_replicaset(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_no_securitycontext_on_replicaset { - input := input_obj(review_replicaset(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_unconfined_seccomp_on_statefulset { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_statefulset(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_unconfined_seccomp_on_statefulset { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_statefulset(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_no_securitycontext_on_statefulset { - input := input_obj(review_statefulset(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_unconfined_seccomp_on_job { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_job(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_unconfined_seccomp_on_job { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_job(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_no_securitycontext_on_job { - input := input_obj(review_job(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_unconfined_seccomp_on_cronjob { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_cronjob(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_no_unconfined_seccomp_on_cronjob { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_cronjob(pod_spec_init_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_no_securitycontext_on_cronjob { - input := input_obj(review_cronjob(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_unconfined_seccomp_on_pod { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_pod(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_unconfined_seccomp_on_pod { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_pod(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_no_securitycontext_on_pod { - input := input_obj(review_pod(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_unconfined_seccomp_on_deployment { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_unconfined_seccomp_on_deployment { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_no_securitycontext_on_deployment { - input := input_obj(review_deployment(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_unconfined_seccomp_on_daemonset { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_unconfined_seccomp_on_daemonset { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_no_securitycontext_on_daemonset { - input := input_obj(review_daemonset(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_unconfined_seccomp_on_replicaset { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_unconfined_seccomp_on_replicaset { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_no_securitycontext_on_replicaset { - input := input_obj(review_replicaset(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_unconfined_seccomp_on_statefulset { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_unconfined_seccomp_on_statefulset { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_no_securitycontext_on_statefulset { - input := input_obj(review_statefulset(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_unconfined_seccomp_on_job { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_job(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_unconfined_seccomp_on_job { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_job(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_no_securitycontext_on_job { - input := input_obj(review_job(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_unconfined_seccomp_on_cronjob { - container_seccomp := {"type": "Unconfined"} - input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_no_unconfined_seccomp_on_cronjob { - container_seccomp := {"type": "RuntimeDefault"} - input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_seccomp))) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_no_securitycontext_on_cronjob { - input := input_obj(review_cronjob(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -review_pod(pod_spec) = out { - out = { - "object": { - "kind": "Pod", - "apiVersion": "v1", - "metadata": { - "name": "my-pod", - }, - "spec": pod_spec - } - } -} - -review_deployment(pod_spec) = out { - out = { - "object": { - "kind": "Deployment", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-deployment", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_daemonset(pod_spec) = out { - out = { - "object": { - "kind": "DaemonSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-daemonset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_replicaset(pod_spec) = out { - out = { - "object": { - "kind": "ReplicaSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-replicaset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_statefulset(pod_spec) = out { - out = { - "object": { - "kind": "StatefulSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-statefulset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_job(pod_spec) = out { - out = { - "object": { - "kind": "Job", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-job", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_cronjob(pod_spec) = out { - out = { - "object": { - "kind": "CronJob", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-cronjob", - }, - "spec": { - "jobTemplate": { - "spec" : { - "template": { - "spec": pod_spec - } - } - } - } - } - } -} - -pod_spec(container_seccomp) = out { - out = { - "containers": [ - { - "name": "container1", - "securityContext": { - "seccompProfile": { - "type": container_seccomp.type - } - } - } - ] - } -} - -pod_spec_seccomp(pod_seccomp) = out { - out = { - "securityContext": { - "seccompProfile": { - "type": pod_seccomp.type - } - }, - "containers": [ - { - "name": "container1" - } - ] - } -} - -pod_spec_no_securitycontext() = out { - out = { - "securityContext": {}, - "containers": [ - { - "name": "container1" - } - ] - } -} - -pod_spec_containers_no_securitycontext() = out { - out = { - "containers": [ - { - "name": "container1", - "securityContext": {} - } - ] - } -} - -pod_spec_init_containers(container_seccomp) = out { - out = { - "initContainers": [ - { - "name": "container1", - "securityContext": { - "seccompProfile": { - "type": container_seccomp.type - } - } - } - ] - } -} - -pod_spec_init_containers_no_securitycontext() = out { - out = { - "initContainers": [ - { - "name": "container1", - "securityContext": {} - } - ] - } -} - -pod_spec_ephemeral_containers(container_seccomp) = out { - out = { - "ephemeralContainers": [ - { - "name": "container1", - "securityContext": { - "seccompProfile": { - "type": container_seccomp.type - } - } - } - ] - } -} - -pod_spec_ephemeral_containers_no_securitycontext() = out { - out = { - "ephemeralContainers": [ - { - "name": "container1", - "securityContext": {} - } - ] - } -} - -input_obj(review) = out { - out = { - "parameters": {}, - "review": review - } -} diff --git a/rego/pss_selinux/policy.rego b/rego/pss_selinux/policy.rego deleted file mode 100644 index 4e7bc76..0000000 --- a/rego/pss_selinux/policy.rego +++ /dev/null @@ -1,142 +0,0 @@ -package pss_selinux - -violation[msg] { - type := failSELinuxType[_] - - msg := format(sprintf("%s '%s' uses invalid seLinux type '%s'", [kind, name, type])) -} - -violation[msg] { - keys := failForbiddenSELinuxProperties - - count(keys) > 0 - - msg := format(sprintf("%s '%s' uses restricted properties in seLinuxOptions: (%s)", [kind, name, concat(", ", keys)])) -} - -failSELinuxType[type] { - context := getAllSecurityContexts[_] - context.seLinuxOptions != null - context.seLinuxOptions.type != null - - type := context.seLinuxOptions.type -} - -failForbiddenSELinuxProperties[key] { - context := getAllSecurityContexts[_] - context.seLinuxOptions != null - forbiddenProps := getForbiddenSELinuxProperties(context) - key := forbiddenProps[_] -} - -getAllSecurityContexts[context] { - context := containers[_].securityContext -} - -getAllSecurityContexts[context] { - context := pods[_].spec.securityContext -} - -getForbiddenSELinuxProperties(context) = keys { - forbiddenProperties = ["role", "user"] - keys := {msg | - key := forbiddenProperties[_] - has_key(context.seLinuxOptions, key) - msg := sprintf("'%s'", [key]) - } -} - - - - - -################### LIBRARY ################### - - -default is_gatekeeper = true - -object = input.review.object { - is_gatekeeper -} - -format(msg) = gatekeeper_format { - is_gatekeeper - gatekeeper_format = {"msg": msg} -} - -name = object.metadata.name - -kind = object.kind - -is_pod { - kind = "Pod" -} - -is_cronjob { - kind = "CronJob" -} - -default is_controller = false - -is_controller { - kind = "Deployment" -} - -is_controller { - kind = "StatefulSet" -} - -is_controller { - kind = "DaemonSet" -} - -is_controller { - kind = "ReplicaSet" -} - -is_controller { - kind = "ReplicationController" -} - -is_controller { - kind = "Job" -} - -pod_containers(pod) = all_containers { - keys = {"containers", "initContainers", "ephemeralContainers"} - all_containers = [c | keys[k]; c = pod.spec[k][_]] -} - -containers[container] { - pods[pod] - all_containers = pod_containers(pod) - container = all_containers[_] -} - -containers[container] { - all_containers = pod_containers(object) - container = all_containers[_] -} - -pods[pod] { - is_pod - pod = object -} - -pods[pod] { - is_controller - pod = object.spec.template -} - -pods[pod] { - is_cronjob - pod = object.spec.jobTemplate.spec.template -} - -has_field(obj, field) { - obj[field] -} - -has_key(x, k) { - _ = x[k] -} diff --git a/rego/pss_selinux/policy_test.rego b/rego/pss_selinux/policy_test.rego deleted file mode 100644 index a73b8ae..0000000 --- a/rego/pss_selinux/policy_test.rego +++ /dev/null @@ -1,663 +0,0 @@ -package pss_selinux - -test_selinux_options_on_pod { - pod_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_pod(pod_spec_selinux(pod_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_multiple_selinux_options_on_pod { - pod_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_pod(pod_spec_selinux(pod_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_no_securitycontext_on_pod { - input := input_obj(review_pod(pod_spec_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_selinux_options_on_pod { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_pod(pod_spec(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_multiple_selinux_options_on_pod { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_pod(pod_spec(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_container_with_no_securitycontext_on_pod { - input := input_obj(review_pod(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_selinux_options_on_deployment { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_deployment(pod_spec(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_multiple_selinux_options_on_deployment { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_deployment(pod_spec(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_container_with_no_securitycontext_on_deployment { - input := input_obj(review_deployment(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_selinux_options_on_daemonset { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_daemonset(pod_spec(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_multiple_selinux_options_on_daemonset { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_daemonset(pod_spec(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_container_with_no_securitycontext_on_daemonset { - input := input_obj(review_daemonset(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_selinux_options_on_replicaset { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_replicaset(pod_spec(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_multiple_selinux_options_on_replicaset { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_replicaset(pod_spec(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_container_with_no_securitycontext_on_replicaset { - input := input_obj(review_replicaset(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_selinux_options_on_statefulset { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_statefulset(pod_spec(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_multiple_selinux_options_on_statefulset { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_statefulset(pod_spec(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_container_with_no_securitycontext_on_statefulset { - input := input_obj(review_statefulset(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_selinux_options_on_job { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_job(pod_spec(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_multiple_selinux_options_on_job { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_job(pod_spec(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_container_with_no_securitycontext_on_job { - input := input_obj(review_job(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_container_with_selinux_options_on_cronjob { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_cronjob(pod_spec(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_container_with_multiple_selinux_options_on_cronjob { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_cronjob(pod_spec(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_container_with_no_securitycontext_on_cronjob { - input := input_obj(review_cronjob(pod_spec_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_selinux_options_on_pod { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_pod(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_multiple_selinux_options_on_pod { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_pod(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_init_container_with_no_securitycontext_on_pod { - input := input_obj(review_pod(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_selinux_options_on_deployment { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_deployment(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_multiple_selinux_options_on_deployment { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_deployment(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_init_container_with_no_securitycontext_on_deployment { - input := input_obj(review_deployment(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_selinux_options_on_daemonset { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_daemonset(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_multiple_selinux_options_on_daemonset { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_daemonset(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_init_container_with_no_securitycontext_on_daemonset { - input := input_obj(review_daemonset(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_selinux_options_on_replicaset { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_replicaset(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_multiple_selinux_options_on_replicaset { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_replicaset(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_init_container_with_no_securitycontext_on_replicaset { - input := input_obj(review_replicaset(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_selinux_options_on_statefulset { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_statefulset(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_multiple_selinux_options_on_statefulset { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_statefulset(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_init_container_with_no_securitycontext_on_statefulset { - input := input_obj(review_statefulset(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_selinux_options_on_job { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_job(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_multiple_selinux_options_on_job { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_job(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_init_container_with_no_securitycontext_on_job { - input := input_obj(review_job(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_init_container_with_selinux_options_on_cronjob { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_cronjob(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_init_container_with_multiple_selinux_options_on_cronjob { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_cronjob(pod_spec_init_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_init_container_with_no_securitycontext_on_cronjob { - input := input_obj(review_cronjob(pod_spec_init_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_selinux_options_on_pod { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_pod(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_multiple_selinux_options_on_pod { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_pod(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_ephemeral_container_with_no_securitycontext_on_pod { - input := input_obj(review_pod(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_selinux_options_on_deployment { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_multiple_selinux_options_on_deployment { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_deployment(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_ephemeral_container_with_no_securitycontext_on_deployment { - input := input_obj(review_deployment(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_selinux_options_on_daemonset { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_multiple_selinux_options_on_daemonset { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_daemonset(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_ephemeral_container_with_no_securitycontext_on_daemonset { - input := input_obj(review_daemonset(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_selinux_options_on_replicaset { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_multiple_selinux_options_on_replicaset { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_replicaset(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_ephemeral_container_with_no_securitycontext_on_replicaset { - input := input_obj(review_replicaset(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_selinux_options_on_statefulset { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_multiple_selinux_options_on_statefulset { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_statefulset(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_ephemeral_container_with_no_securitycontext_on_statefulset { - input := input_obj(review_statefulset(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_selinux_options_on_job { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_job(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_multiple_selinux_options_on_job { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_job(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_ephemeral_container_with_no_securitycontext_on_job { - input := input_obj(review_job(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -test_ephemeral_container_with_selinux_options_on_cronjob { - container_selinux := {"seLinuxOptions":{"type": "custom"}} - input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) == 1 -} - -test_ephemeral_container_with_multiple_selinux_options_on_cronjob { - container_selinux := {"seLinuxOptions":{"type": "custom", "role": "admin"}} - input := input_obj(review_cronjob(pod_spec_ephemeral_containers(container_selinux))) - results := violation with input as input - count(results) > 1 -} - -test_ephemeral_container_with_no_securitycontext_on_cronjob { - input := input_obj(review_cronjob(pod_spec_ephemeral_containers_no_securitycontext)) - results := violation with input as input - count(results) == 0 -} - -review_pod(pod_spec) = out { - out = { - "object": { - "kind": "Pod", - "apiVersion": "v1", - "metadata": { - "name": "my-pod", - }, - "spec": pod_spec - } - } -} - -review_deployment(pod_spec) = out { - out = { - "object": { - "kind": "Deployment", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-deployment", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_daemonset(pod_spec) = out { - out = { - "object": { - "kind": "DaemonSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-daemonset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_replicaset(pod_spec) = out { - out = { - "object": { - "kind": "ReplicaSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-replicaset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_statefulset(pod_spec) = out { - out = { - "object": { - "kind": "StatefulSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-statefulset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_job(pod_spec) = out { - out = { - "object": { - "kind": "Job", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-job", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_cronjob(pod_spec) = out { - out = { - "object": { - "kind": "CronJob", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-cronjob", - }, - "spec": { - "jobTemplate": { - "spec" : { - "template": { - "spec": pod_spec - } - } - } - } - } - } -} - -pod_spec(pod_selinux) = out { - out = { - "containers": [ - { - "name": "container1", - "securityContext": { - "seLinuxOptions": pod_selinux.seLinuxOptions - } - } - ] - } -} - -pod_spec_selinux(pod_selinux) = out { - out = { - "securityContext": { - "seLinuxOptions": pod_selinux.seLinuxOptions - }, - "containers": [ - { - "name": "container1" - } - ] - } -} - -pod_spec_no_securitycontext() = out { - out = { - "securityContext": {}, - "containers": [ - { - "name": "container1" - } - ] - } -} - -pod_spec_containers_no_securitycontext() = out { - out = { - "containers": [ - { - "name": "container1", - "securityContext": {} - } - ] - } -} - -pod_spec_init_containers(pod_selinux) = out { - out = { - "initContainers": [ - { - "name": "container1", - "securityContext": { - "seLinuxOptions": pod_selinux.seLinuxOptions - } - } - ] - } -} - -pod_spec_init_containers_no_securitycontext() = out { - out = { - "initContainers": [ - { - "name": "container1", - "securityContext": {} - } - ] - } -} - -pod_spec_ephemeral_containers(pod_selinux) = out { - out = { - "ephemeralContainers": [ - { - "name": "container1", - "securityContext": { - "seLinuxOptions": pod_selinux.seLinuxOptions - } - } - ] - } -} - -pod_spec_ephemeral_containers_no_securitycontext() = out { - out = { - "ephemeralContainers": [ - { - "name": "container1", - "securityContext": {} - } - ] - } -} - -input_obj(review) = out { - out = { - "parameters": {}, - "review": review - } -} diff --git a/rego/pss_sysctl_options/policy.rego b/rego/pss_sysctl_options/policy.rego deleted file mode 100644 index b199123..0000000 --- a/rego/pss_sysctl_options/policy.rego +++ /dev/null @@ -1,109 +0,0 @@ -package pss_sysctloptions - - -violation[msg] { - failSysctls - - msg := format(sprintf("%s '%s' should set 'securityContext.sysctl' to the allowed values", [kind, name])) -} - -allowed_sysctls := { - "kernel.shm_rmid_forced", - "net.ipv4.ip_local_port_range", - "net.ipv4.ip_unprivileged_port_start", - "net.ipv4.tcp_syncookies", - "net.ipv4.ping_group_range", -} - -failSysctls { - pod := pods[_] - set_sysctls := {sysctl | sysctl := pod.spec.securityContext.sysctls[_].name} - sysctls_not_allowed := set_sysctls - allowed_sysctls - count(sysctls_not_allowed) > 0 -} - -################### LIBRARY ################### - -default is_gatekeeper = true - -object = input.review.object { - is_gatekeeper -} - -format(msg) = gatekeeper_format { - is_gatekeeper - gatekeeper_format = {"msg": msg} -} - -name = object.metadata.name - -kind = object.kind - -is_pod { - kind = "Pod" -} - -is_cronjob { - kind = "CronJob" -} - -default is_controller = false - -is_controller { - kind = "Deployment" -} - -is_controller { - kind = "StatefulSet" -} - -is_controller { - kind = "DaemonSet" -} - -is_controller { - kind = "ReplicaSet" -} - -is_controller { - kind = "ReplicationController" -} - -is_controller { - kind = "Job" -} - -pod_containers(pod) = all_containers { - keys = {"containers", "initContainers", "ephemeralContainers"} - all_containers = [c | keys[k]; c = pod.spec[k][_]] -} - -containers[container] { - pods[pod] - all_containers = pod_containers(pod) - container = all_containers[_] -} - -containers[container] { - all_containers = pod_containers(object) - container = all_containers[_] -} - -pods[pod] { - is_pod - pod = object -} - -pods[pod] { - is_controller - pod = object.spec.template -} - -pods[pod] { - is_cronjob - pod = object.spec.jobTemplate.spec.template -} - -has_field(obj, field) { - obj[field] -} diff --git a/rego/pss_sysctl_options/policy_test.rego b/rego/pss_sysctl_options/policy_test.rego deleted file mode 100644 index 327d413..0000000 --- a/rego/pss_sysctl_options/policy_test.rego +++ /dev/null @@ -1,268 +0,0 @@ -package pss_sysctloptions - -################Helpers############################## - -review_pod(pod_spec) = out { - out = { - "object": { - "kind": "Pod", - "apiVersion": "v1", - "metadata": { - "name": "my-pod", - }, - "spec": pod_spec - } - } -} - -review_deployment(pod_spec) = out { - out = { - "object": { - "kind": "Deployment", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-deployment", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_daemonset(pod_spec) = out { - out = { - "object": { - "kind": "DaemonSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-daemonset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_replicaset(pod_spec) = out { - out = { - "object": { - "kind": "ReplicaSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-replicaset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_statefulset(pod_spec) = out { - out = { - "object": { - "kind": "StatefulSet", - "apiVersion": "apps/v1", - "metadata": { - "name": "my-statefulset", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_job(pod_spec) = out { - out = { - "object": { - "kind": "Job", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-job", - }, - "spec": { - "template": { - "spec": pod_spec - } - } - } - } -} - -review_cronjob(pod_spec) = out { - out = { - "object": { - "kind": "CronJob", - "apiVersion": "batch/v1", - "metadata": { - "name": "my-cronjob", - }, - "spec": { - "jobTemplate": { - "spec" : { - "template": { - "spec": pod_spec - } - } - } - } - } - } -} - -pod_spec(securitycontext) = out { - out = { - "securityContext" : securitycontext, - "containers": [ - { - "name": "container1", - } - ] - } -} - -input_obj(review) = out { - out = { - "parameters": {}, - "review": review - } -} - -################Container Tests###################### - -test_not_allowed_sysctls_options_container_on_pod { - input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]}))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_sysctls_options_container_on_pod { - input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]}))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_sysctls_options_nill_container_on_pod { - input := input_obj(review_pod(pod_spec({"sysctls": null}))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_sysctls_options_container_on_deployment { - input := input_obj(review_deployment(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]}))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_sysctls_options_container_on_deployment { - input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]}))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_sysctls_options_nill_container_on_deployment { - input := input_obj(review_deployment(pod_spec({"sysctls": null}))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_sysctls_options_container_on_daemonset { - input := input_obj(review_daemonset(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]}))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_sysctls_options_container_on_daemonset { - input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]}))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_sysctls_options_nill_container_on_daemonset { - input := input_obj(review_daemonset(pod_spec({"sysctls": null}))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_sysctls_options_container_on_replicaset { - input := input_obj(review_replicaset(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]}))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_sysctls_options_container_on_replicaset { - input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]}))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_sysctls_options_nill_container_on_replicaset { - input := input_obj(review_replicaset(pod_spec({"sysctls": null}))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_sysctls_options_container_on_statefulset { - input := input_obj(review_statefulset(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]}))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_sysctls_options_container_on_statefulset { - input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]}))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_sysctls_options_nill_container_on_statefulset { - input := input_obj(review_statefulset(pod_spec({"sysctls": null}))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_sysctls_options_container_on_job { - input := input_obj(review_job(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]}))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_sysctls_options_container_on_job { - input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]}))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_sysctls_options_nill_container_on_job { - input := input_obj(review_job(pod_spec({"sysctls": null}))) - results := violation with input as input - count(results) == 0 -} - -test_not_allowed_sysctls_options_container_on_cronjob { - input := input_obj(review_cronjob(pod_spec({"sysctls": [{"name": "net.core.somaxconn","value": "1024",},{"name": "kernel.msgmax","value": "65536",},]}))) - results := violation with input as input - count(results) == 1 -} - -test_allowed_sysctls_options_container_on_cronjob { - input := input_obj(review_pod(pod_spec({"sysctls": [{"name": "kernel.shm_rmid_forced","value": "0",},{"name": "net.ipv4.ip_local_port_range","value": "",},{"name": "net.ipv4.ip_unprivileged_port_start","value": "0",},{"name": "net.ipv4.tcp_syncookies","value": "1",},{"name": "net.ipv4.ping_group_range","value": "",}]}))) - results := violation with input as input - count(results) == 0 -} - -test_allowed_sysctls_options_nill_container_on_cronjob { - input := input_obj(review_cronjob(pod_spec({"sysctls": null}))) - results := violation with input as input - count(results) == 0 -} \ No newline at end of file diff --git a/templates/constraint_template_pss_apparmor.yaml b/templates/constraint_template_pss_apparmor.yaml deleted file mode 100644 index 7f3ad49..0000000 --- a/templates/constraint_template_pss_apparmor.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: pssapparmor -spec: - crd: - spec: - names: - kind: PssAppArmor - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{.Files.Get "rego/pss_apparmor/policy.rego" | indent 8 }} diff --git a/templates/constraint_template_pss_host_namespace.yaml b/templates/constraint_template_pss_host_namespace.yaml deleted file mode 100644 index 00d41a3..0000000 --- a/templates/constraint_template_pss_host_namespace.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: psshostnamespace -spec: - crd: - spec: - names: - kind: PssHostNamespace - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{.Files.Get "rego/pss_host_namespaces/policy.rego" | indent 8 }} diff --git a/templates/constraint_template_pss_hostpath_volume.yaml b/templates/constraint_template_pss_hostpath_volume.yaml deleted file mode 100644 index 0ff44e4..0000000 --- a/templates/constraint_template_pss_hostpath_volume.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: psshostpathvolume -spec: - crd: - spec: - names: - kind: PssHostpathVolume - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{.Files.Get "rego/pss_hostpath_volumes/policy.rego" | indent 8 }} diff --git a/templates/constraint_template_pss_hostport.yaml b/templates/constraint_template_pss_hostport.yaml deleted file mode 100644 index 226be26..0000000 --- a/templates/constraint_template_pss_hostport.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: psshostport -spec: - crd: - spec: - names: - kind: PssHostPort - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{.Files.Get "rego/pss_hostports/policy.rego" | indent 8 }} diff --git a/templates/constraint_template_pss_pod_capabilities.yaml b/templates/constraint_template_pss_pod_capabilities.yaml deleted file mode 100644 index 388eef5..0000000 --- a/templates/constraint_template_pss_pod_capabilities.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: psspodcapabilities -spec: - crd: - spec: - names: - kind: PssPodCapabilities - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{.Files.Get "rego/pss_pod_capabilities/policy.rego" | indent 8 }} diff --git a/templates/constraint_template_pss_privileged.yaml b/templates/constraint_template_pss_privileged.yaml deleted file mode 100644 index 6f9d08e..0000000 --- a/templates/constraint_template_pss_privileged.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: pssprivilegedpod -spec: - crd: - spec: - names: - kind: PssPrivilegedPod - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{.Files.Get "rego/pss_privileged_pods/policy.rego" | indent 8 }} diff --git a/templates/constraint_template_pss_procmount.yaml b/templates/constraint_template_pss_procmount.yaml deleted file mode 100644 index 4caafb3..0000000 --- a/templates/constraint_template_pss_procmount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: pssprocmount -spec: - crd: - spec: - names: - kind: PssProcMount - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{.Files.Get "rego/pss_procmounts/policy.rego" | indent 8 }} diff --git a/templates/constraint_template_pss_seccomp.yaml b/templates/constraint_template_pss_seccomp.yaml deleted file mode 100644 index 35e5f3a..0000000 --- a/templates/constraint_template_pss_seccomp.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: pssseccomp -spec: - crd: - spec: - names: - kind: PssSeccomp - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{.Files.Get "rego/pss_seccomp/policy.rego" | indent 8 }} diff --git a/templates/constraint_template_pss_selinux.yaml b/templates/constraint_template_pss_selinux.yaml deleted file mode 100644 index 238bad8..0000000 --- a/templates/constraint_template_pss_selinux.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: pssselinux -spec: - crd: - spec: - names: - kind: PssSELinux - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{.Files.Get "rego/pss_selinux/policy.rego" | indent 8 }} diff --git a/templates/constraint_template_pss_sysctl_options.yaml b/templates/constraint_template_pss_sysctl_options.yaml deleted file mode 100644 index cc82ffe..0000000 --- a/templates/constraint_template_pss_sysctl_options.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: psssysctlsoptions -spec: - crd: - spec: - names: - kind: PssSysctlsOptions - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{.Files.Get "rego/pss_sysctl_options/policy.rego" | indent 8 }} -- GitLab