Merge pull request #73 from jouve/bump

bump images
jouve · Mar 9, 2025 · a9591d1 · a9591d1
2 parents 60d3cdd + b9da71d
commit a9591d1
Show file tree

Hide file tree

Showing 14 changed files with 293 additions and 145 deletions.
diff --git a/charts/gatekeeper-library/Chart.yaml b/charts/gatekeeper-library/Chart.yaml
@@ -3,8 +3,8 @@ name: gatekeeper-library
 description: A Helm chart for Kubernetes
 icon: https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/website/static/img/logo.svg
 type: application
-version: 0.2.5
-appVersion: 52cb14a2ef7a9d06908e1543524f283290b8b4f4
+version: 0.2.6
+appVersion: a569ff9f7d99db6a8c177bc6311a998f769ce2f8
 sources:
   - https://github.com/jouve/charts
   - https://github.com/open-policy-agent/gatekeeper-library

diff --git a/charts/gatekeeper-library/kustomization.yaml b/charts/gatekeeper-library/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- github.com/open-policy-agent/gatekeeper-library/library?ref=52cb14a2ef7a9d06908e1543524f283290b8b4f4
+- github.com/open-policy-agent/gatekeeper-library/library?ref=a569ff9f7d99db6a8c177bc6311a998f769ce2f8
diff --git a/charts/gatekeeper-library/templates.sh b/charts/gatekeeper-library/templates.sh
@@ -3,5 +3,7 @@
 set -eux -o pipefail
 rm -rf templates
 mkdir templates
+# shellcheck disable=SC2016
 kustomize build | yq --no-doc --split-exp '.metadata.name | sub(".*", "templates/${0}.yaml")'
+# shellcheck disable=SC2016
 yq -i '.appVersion = (load("kustomization.yaml").resources.0 | sub(".*ref=(.*)", "$1"))' Chart.yaml
diff --git a/charts/gatekeeper-library/templates/k8sallowedrepos.yaml b/charts/gatekeeper-library/templates/k8sallowedrepos.yaml
@@ -2,9 +2,9 @@ apiVersion: templates.gatekeeper.sh/v1
 kind: ConstraintTemplate
 metadata:
   annotations:
-    description: Requires container images to begin with a string from the specified list.
+    description: Requires container images to begin with a string from the specified list. To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries. If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy.
     metadata.gatekeeper.sh/title: Allowed Repositories
-    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/version: 1.0.2
   name: k8sallowedrepos
 spec:
   crd:

diff --git a/charts/gatekeeper-library/templates/k8sallowedreposv2.yaml b/charts/gatekeeper-library/templates/k8sallowedreposv2.yaml
@@ -0,0 +1,57 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  annotations:
+    description: 'This policy enforces that container images must begin with a string from a specified list. The updated version, K8sAllowedReposv2, introduces support for exact match and glob-like syntax to enhance security: 1. Exact Match: By default, if the * character is not specified, the policy strictly checks for an exact match of the full registry, repository, and/or the image name. 2. Glob-like Syntax: Adding * at the end of a prefix allows prefix-based matching (e.g., registry.example.com/project/*). Only the * wildcard at the end of a string is supported. 3. Security Note: To avoid bypasses scenarios, ensure prefixes include a trailing / where appropriate (e.g., registry.example.com/project/*).'
+    metadata.gatekeeper.sh/title: Allowed Images
+    metadata.gatekeeper.sh/version: 1.0.0
+  name: k8sallowedreposv2
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAllowedReposv2
+      validation:
+        openAPIV3Schema:
+          properties:
+            allowedImages:
+              description: A list of allowed container image prefixes. Supports exact matches and prefixes ending with '*'.
+              items:
+                type: string
+              type: array
+          type: object
+  targets:
+    - rego: |
+        package k8sallowedreposv2
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          not image_matches(container.image, input.parameters.allowedImages)
+          msg := sprintf("container <%v> has an invalid image <%v>, allowed images are %v", [container.name, container.image, input.parameters.allowedImages])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          not image_matches(container.image, input.parameters.allowedImages)
+          msg := sprintf("initContainer <%v> has an invalid image <%v>, allowed images are %v", [container.name, container.image, input.parameters.allowedImages])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.ephemeralContainers[_]
+          not image_matches(container.image, input.parameters.allowedImages)
+          msg := sprintf("ephemeralContainer <%v> has an invalid image <%v>, allowed images are %v", [container.name, container.image, input.parameters.allowedImages])
+        }
+
+        image_matches(image, images) {
+          i_image := images[_]  # Iterate through all images in the allowed list
+          not endswith(i_image, "*")  # Check for exact match if the image does not end with *
+          i_image == image
+        }
+
+        image_matches(image, images) {
+          i_image := images[_]  # Iterate through all images in the allowed list
+          endswith(i_image, "*")  # Check for prefix match if the image ends with *
+          prefix := trim_suffix(i_image, "*")
+          startswith(image, prefix)
+        }
+      target: admission.k8s.gatekeeper.sh
diff --git a/charts/gatekeeper-library/templates/k8scontainerlimits.yaml b/charts/gatekeeper-library/templates/k8scontainerlimits.yaml
@@ -6,7 +6,7 @@ metadata:
       Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values.
       https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
     metadata.gatekeeper.sh/title: Container Limits
-    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/version: 1.1.0
   name: k8scontainerlimits
 spec:
   crd:
@@ -17,7 +17,7 @@ spec:
         openAPIV3Schema:
           properties:
             cpu:
-              description: The maximum allowed cpu limit on a Pod, exclusive.
+              description: The maximum allowed cpu limit on a Pod, exclusive. Set to -1 to disable.
               type: string
             exemptImages:
               description: |-
@@ -191,6 +191,7 @@ spec:
         # Ephemeral containers not checked as it is not possible to set field.
 
         general_violation[{"msg": msg, "field": field}] {
+          input.parameters.cpu != "-1"
           container := input.review.object.spec[field][_]
           not is_exempt(container)
           cpu_orig := container.resources.limits.cpu
@@ -221,6 +222,7 @@ spec:
         }
 
         general_violation[{"msg": msg, "field": field}] {
+          input.parameters.cpu != "-1"
           container := input.review.object.spec[field][_]
           not is_exempt(container)
           missing(container.resources.limits, "cpu")
@@ -240,6 +242,7 @@ spec:
           cpu_orig := container.resources.limits.cpu
           cpu := canonify_cpu(cpu_orig)
           max_cpu_orig := input.parameters.cpu
+          max_cpu_orig != "-1"
           max_cpu := canonify_cpu(max_cpu_orig)
           cpu > max_cpu
           msg := sprintf("container <%v> cpu limit <%v> is higher than the maximum allowed of <%v>", [container.name, cpu_orig, max_cpu_orig])

diff --git a/charts/gatekeeper-library/templates/k8spspforbiddensysctls.yaml b/charts/gatekeeper-library/templates/k8spspforbiddensysctls.yaml
@@ -4,7 +4,7 @@ metadata:
   annotations:
     description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
     metadata.gatekeeper.sh/title: Forbidden Sysctls
-    metadata.gatekeeper.sh/version: 1.1.3
+    metadata.gatekeeper.sh/version: 1.2.0
   name: k8spspforbiddensysctls
 spec:
   crd:
@@ -27,63 +27,109 @@ spec:
               type: array
           type: object
   targets:
-    - libs:
-        - |
-          package lib.exclude_update
+    - code:
+        - engine: K8sNativeValidation
+          source:
+            validations:
+              - expression: variables.isUpdate || size(variables.violatingSysctls) == 0
+                messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString'
+            variables:
+              - expression: has(request.operation) && request.operation == "UPDATE"
+                name: isUpdate
+              - expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls'
+                name: sysctls
+              - expression: |
+                  !has(variables.params.allowedSysctls) ? [] : variables.params.allowedSysctls.filter(sysctl, sysctl.endsWith("*")).map(sysctl, string(sysctl).replace("*", ""))
+                name: allowedSysctlPrefixes
+              - expression: "!has(variables.params.allowedSysctls) ? [] : \n  variables.params.allowedSysctls.filter(sysctl, !sysctl.endsWith(\"*\"))\n"
+                name: allowedSysctlExplicit
+              - expression: |
+                  !has(variables.params.forbiddenSysctls) ? [] : variables.params.forbiddenSysctls.filter(sysctl, sysctl.endsWith("*")).map(sysctl, string(sysctl).replace("*", ""))
+                name: forbiddenSysctlPrefixes
+              - expression: "!has(variables.params.forbiddenSysctls) ? [] : \n  variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith(\"*\"))\n"
+                name: forbiddenSysctlExplicit
+              - expression: |
+                  !has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ")
+                name: allowedSysctlsString
+              - expression: |
+                  (variables.sysctls.filter(sysctl,
+                    (sysctl.name in variables.forbiddenSysctlExplicit ||
+                    variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) ||
+                    (has(variables.params.allowedSysctls) &&
+                    !(sysctl.name in variables.allowedSysctlExplicit) &&
+                    !variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp)))))
+                name: violatingSysctls
+        - engine: Rego
+          source:
+            libs:
+              - |
+                package lib.exclude_update
 
-          is_update(review) {
-              review.operation == "UPDATE"
-          }
-      rego: |
-        package k8spspforbiddensysctls
+                is_update(review) {
+                    review.operation == "UPDATE"
+                }
+            rego: |
+              package k8spspforbiddensysctls
 
-        import data.lib.exclude_update.is_update
+              import data.lib.exclude_update.is_update
 
-        # Block if forbidden
-        violation[{"msg": msg, "details": {}}] {
-            # spec.securityContext.sysctls field is immutable.
-            not is_update(input.review)
+              # Block if forbidden
+              violation[{"msg": msg, "details": {}}] {
+                  # spec.securityContext.sysctls field is immutable.
+                  not is_update(input.review)
 
-            sysctl := input.review.object.spec.securityContext.sysctls[_].name
-            forbidden_sysctl(sysctl)
-            msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls])
-        }
+                  sysctl := input.review.object.spec.securityContext.sysctls[_].name
+                  forbidden_sysctl(sysctl)
+                  msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls])
+              }
 
-        # Block if not explicitly allowed
-        violation[{"msg": msg, "details": {}}] {
-            not is_update(input.review)
-            sysctl := input.review.object.spec.securityContext.sysctls[_].name
-            not allowed_sysctl(sysctl)
-            msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
-        }
+              # Block if not explicitly allowed
+              violation[{"msg": msg, "details": {}}] {
+                  not is_update(input.review)
+                  sysctl := input.review.object.spec.securityContext.sysctls[_].name
+                  not allowed_sysctl(sysctl)
+                  allowmsg := allowed_sysctl_string()
+                  msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, allowmsg])
+              }
 
-        # * may be used to forbid all sysctls
-        forbidden_sysctl(_) {
-            input.parameters.forbiddenSysctls[_] == "*"
-        }
+              # * may be used to forbid all sysctls
+              forbidden_sysctl(_) {
+                  input.parameters.forbiddenSysctls[_] == "*"
+              }
 
-        forbidden_sysctl(sysctl) {
-            input.parameters.forbiddenSysctls[_] == sysctl
-        }
+              forbidden_sysctl(sysctl) {
+                  input.parameters.forbiddenSysctls[_] == sysctl
+              }
 
-        forbidden_sysctl(sysctl) {
-            forbidden := input.parameters.forbiddenSysctls[_]
-            endswith(forbidden, "*")
-            startswith(sysctl, trim_suffix(forbidden, "*"))
-        }
+              forbidden_sysctl(sysctl) {
+                  forbidden := input.parameters.forbiddenSysctls[_]
+                  endswith(forbidden, "*")
+                  startswith(sysctl, trim_suffix(forbidden, "*"))
+              }
 
-        # * may be used to allow all sysctls
-        allowed_sysctl(_) {
-            input.parameters.allowedSysctls[_] == "*"
-        }
+              # * may be used to allow all sysctls
+              allowed_sysctl(_) {
+                  input.parameters.allowedSysctls[_] == "*"
+              }
 
-        allowed_sysctl(sysctl) {
-            input.parameters.allowedSysctls[_] == sysctl
-        }
+              allowed_sysctl(sysctl) {
+                  input.parameters.allowedSysctls[_] == sysctl
+              }
 
-        allowed_sysctl(sysctl) {
-            allowed := input.parameters.allowedSysctls[_]
-            endswith(allowed, "*")
-            startswith(sysctl, trim_suffix(allowed, "*"))
-        }
+              allowed_sysctl(sysctl) {
+                  allowed := input.parameters.allowedSysctls[_]
+                  endswith(allowed, "*")
+                  startswith(sysctl, trim_suffix(allowed, "*"))
+              }
+
+              allowed_sysctl(_) {
+                  not input.parameters.allowedSysctls
+              }
+              allowed_sysctl_string() = out {
+                  not input.parameters.allowedSysctls
+                  out = "unspecified"
+              }
+              allowed_sysctl_string() = out {
+                  out = input.parameters.allowedSysctls
+              }
       target: admission.k8s.gatekeeper.sh