Comments (3)
maxsmythe
commented on May 23, 2024
not allow_privileged(c) will always evaluate to "true" b/c there is a bug in allow_privileged:
input.allowPrivileged should be input.parameters.allowPrivileged
More generally, it looks like setting allowPrivileged would disable the constraint entirely, since it disables the check for everything.
Are you looking to have specific containers be allowed to run as privileged? If so, could you use the exemptImages parameter?
from gatekeeper-library.
michaelm-88
commented on May 23, 2024
@maxsmythe you have right i have fixed it now
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8spspprivilegedcontainer
annotations:
metadata.gatekeeper.sh/title: "Privileged Container"
metadata.gatekeeper.sh/version: 1.1.0
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
information, see
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
spec:
crd:
spec:
names:
kind: K8sPSPPrivilegedContainer
validation:
openAPIV3Schema:
type: object
description: >-
Controls the ability of any container to enable privileged mode.
Corresponds to the `privileged` field in a PodSecurityPolicy. For more
information, see
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
properties:
exemptImages:
description: >-
Any container that uses an image that matches an entry in this list will be excluded
from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
in order to avoid unexpectedly exempting images from an untrusted repository.
type: array
items:
type: string
allowPrivileged:
description: "Allow containers to be privileged."
type: boolean
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8spspprivileged
import data.lib.exempt_container.is_exempt
violation[{"msg": msg, "details": {}}] {
c := input_containers[_]
not is_exempt(c)
not allow_privileged(c)
msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext])
}
allow_privileged(c) {
not input.parameters.allowPrivileged
not c.securityContext.privileged
}
allow_privileged(c) {
input.parameters.allowPrivileged
}
input_containers[c] {
c := input.review.object.spec.containers[_]
}
input_containers[c] {
c := input.review.object.spec.initContainers[_]
}
input_containers[c] {
c := input.review.object.spec.ephemeralContainers[_]
}
libs:
- |
package lib.exempt_container
is_exempt(container) {
exempt_images := object.get(input, "parameters", {}).exemptImages
img := container.image
exemption := exempt_images[_]
_matches_exemption(img, exemption)
}
_matches_exemption(img, exemption) {
not endswith(exemption, "*")
exemption == img
}
_matches_exemption(img, exemption) {
endswith(exemption, "*")
prefix := trim_suffix(exemption, "*")
startswith(img, prefix)
}
from gatekeeper-library.
stale
commented on May 23, 2024
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
from gatekeeper-library.
Related Issues (20)
- gatekeeper and PSS HOT 4
- Extend PodDisruptionPolicy to Include MinAvailable and MaxAvailable Percentages HOT 1
- Migrate require-sync CI to future gatekeeper 3.13 requires-sync-data unmarshal function
- Apply constraints for immutable fields only to CREATE operations HOT 10
- enforcementAction: deny is not respected when creating/changing to an incorrect PDB HOT 1
- Host networking constraint template does not respect exempt images HOT 2
- Refresh the content in Artifact-hub whenever any of the files within the policy are modified HOT 2
- docs: explicitly call out samples are provided as an example
- add cel-based policies HOT 4
- Match everything in a constraint HOT 2
- Docs exclude kind: AdmissionReview
- Problem with creating a mutation for deployments HOT 4
- replicalimits unit tests do not include checks for Scale resources HOT 4
- Consider validating pod generic ephemerals in K8sStorageClass HOT 2
- Consolidating Kubernetes PSP-related ConstraintTemplates into a Single Template for Streamlined Migration HOT 1
- bump mutate assign api version from alpha to v1
- Website generator appears to only retain the final mutation sample per directory HOT 2
- Any interest in policies/constraints that apply to custom resources? HOT 3
- Workflow Upload artifacts: overwrites the matrixed job logs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper-library.