From b9da71d03d673f8aebfed657125a6fd47aa171e9 Mon Sep 17 00:00:00 2001 From: Cyril Jouve Date: Sat, 8 Mar 2025 16:15:58 +0100 Subject: [PATCH] bump images --- charts/gatekeeper-library/Chart.yaml | 4 +- charts/gatekeeper-library/kustomization.yaml | 2 +- charts/gatekeeper-library/templates.sh | 2 + .../templates/k8sallowedrepos.yaml | 4 +- .../templates/k8sallowedreposv2.yaml | 57 +++++++ .../templates/k8scontainerlimits.yaml | 7 +- .../templates/k8spspforbiddensysctls.yaml | 144 ++++++++++++------ .../templates/k8spspfsgroup.yaml | 134 +++++++++------- .../templates/k8spsphostnamespace.yaml | 62 +++++--- .../templates/k8spspprocmount.yaml | 10 +- charts/mailpit/Chart.yaml | 4 +- charts/mailpit/values.yaml | 2 +- charts/postgresql/Chart.yaml | 4 +- charts/postgresql/values.yaml | 2 +- 14 files changed, 293 insertions(+), 145 deletions(-) create mode 100644 charts/gatekeeper-library/templates/k8sallowedreposv2.yaml diff --git a/charts/gatekeeper-library/Chart.yaml b/charts/gatekeeper-library/Chart.yaml index 54f261c..3596fdf 100644 --- a/charts/gatekeeper-library/Chart.yaml +++ b/charts/gatekeeper-library/Chart.yaml @@ -3,8 +3,8 @@ name: gatekeeper-library description: A Helm chart for Kubernetes icon: https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/website/static/img/logo.svg type: application -version: 0.2.5 -appVersion: 52cb14a2ef7a9d06908e1543524f283290b8b4f4 +version: 0.2.6 +appVersion: a569ff9f7d99db6a8c177bc6311a998f769ce2f8 sources: - https://github.com/jouve/charts - https://github.com/open-policy-agent/gatekeeper-library diff --git a/charts/gatekeeper-library/kustomization.yaml b/charts/gatekeeper-library/kustomization.yaml index f2d4da6..5d7f216 100644 --- a/charts/gatekeeper-library/kustomization.yaml +++ b/charts/gatekeeper-library/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/open-policy-agent/gatekeeper-library/library?ref=52cb14a2ef7a9d06908e1543524f283290b8b4f4 +- github.com/open-policy-agent/gatekeeper-library/library?ref=a569ff9f7d99db6a8c177bc6311a998f769ce2f8 diff --git a/charts/gatekeeper-library/templates.sh b/charts/gatekeeper-library/templates.sh index 5f8cad4..f877444 100755 --- a/charts/gatekeeper-library/templates.sh +++ b/charts/gatekeeper-library/templates.sh @@ -3,5 +3,7 @@ set -eux -o pipefail rm -rf templates mkdir templates +# shellcheck disable=SC2016 kustomize build | yq --no-doc --split-exp '.metadata.name | sub(".*", "templates/${0}.yaml")' +# shellcheck disable=SC2016 yq -i '.appVersion = (load("kustomization.yaml").resources.0 | sub(".*ref=(.*)", "$1"))' Chart.yaml diff --git a/charts/gatekeeper-library/templates/k8sallowedrepos.yaml b/charts/gatekeeper-library/templates/k8sallowedrepos.yaml index 7d36245..3952d35 100644 --- a/charts/gatekeeper-library/templates/k8sallowedrepos.yaml +++ b/charts/gatekeeper-library/templates/k8sallowedrepos.yaml @@ -2,9 +2,9 @@ apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: annotations: - description: Requires container images to begin with a string from the specified list. + description: Requires container images to begin with a string from the specified list. To prevent bypasses, ensure a '/' is added when specifying DockerHub repositories or custom registries. If exact matches or glob-like syntax are preferred, use the k8sallowedreposv2 policy. metadata.gatekeeper.sh/title: Allowed Repositories - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.0.2 name: k8sallowedrepos spec: crd: diff --git a/charts/gatekeeper-library/templates/k8sallowedreposv2.yaml b/charts/gatekeeper-library/templates/k8sallowedreposv2.yaml new file mode 100644 index 0000000..d27690a --- /dev/null +++ b/charts/gatekeeper-library/templates/k8sallowedreposv2.yaml @@ -0,0 +1,57 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + annotations: + description: 'This policy enforces that container images must begin with a string from a specified list. The updated version, K8sAllowedReposv2, introduces support for exact match and glob-like syntax to enhance security: 1. Exact Match: By default, if the * character is not specified, the policy strictly checks for an exact match of the full registry, repository, and/or the image name. 2. Glob-like Syntax: Adding * at the end of a prefix allows prefix-based matching (e.g., registry.example.com/project/*). Only the * wildcard at the end of a string is supported. 3. Security Note: To avoid bypasses scenarios, ensure prefixes include a trailing / where appropriate (e.g., registry.example.com/project/*).' + metadata.gatekeeper.sh/title: Allowed Images + metadata.gatekeeper.sh/version: 1.0.0 + name: k8sallowedreposv2 +spec: + crd: + spec: + names: + kind: K8sAllowedReposv2 + validation: + openAPIV3Schema: + properties: + allowedImages: + description: A list of allowed container image prefixes. Supports exact matches and prefixes ending with '*'. + items: + type: string + type: array + type: object + targets: + - rego: | + package k8sallowedreposv2 + + violation[{"msg": msg}] { + container := input.review.object.spec.containers[_] + not image_matches(container.image, input.parameters.allowedImages) + msg := sprintf("container <%v> has an invalid image <%v>, allowed images are %v", [container.name, container.image, input.parameters.allowedImages]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.initContainers[_] + not image_matches(container.image, input.parameters.allowedImages) + msg := sprintf("initContainer <%v> has an invalid image <%v>, allowed images are %v", [container.name, container.image, input.parameters.allowedImages]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.ephemeralContainers[_] + not image_matches(container.image, input.parameters.allowedImages) + msg := sprintf("ephemeralContainer <%v> has an invalid image <%v>, allowed images are %v", [container.name, container.image, input.parameters.allowedImages]) + } + + image_matches(image, images) { + i_image := images[_] # Iterate through all images in the allowed list + not endswith(i_image, "*") # Check for exact match if the image does not end with * + i_image == image + } + + image_matches(image, images) { + i_image := images[_] # Iterate through all images in the allowed list + endswith(i_image, "*") # Check for prefix match if the image ends with * + prefix := trim_suffix(i_image, "*") + startswith(image, prefix) + } + target: admission.k8s.gatekeeper.sh diff --git a/charts/gatekeeper-library/templates/k8scontainerlimits.yaml b/charts/gatekeeper-library/templates/k8scontainerlimits.yaml index e090134..b1f6900 100644 --- a/charts/gatekeeper-library/templates/k8scontainerlimits.yaml +++ b/charts/gatekeeper-library/templates/k8scontainerlimits.yaml @@ -6,7 +6,7 @@ metadata: Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ metadata.gatekeeper.sh/title: Container Limits - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 name: k8scontainerlimits spec: crd: @@ -17,7 +17,7 @@ spec: openAPIV3Schema: properties: cpu: - description: The maximum allowed cpu limit on a Pod, exclusive. + description: The maximum allowed cpu limit on a Pod, exclusive. Set to -1 to disable. type: string exemptImages: description: |- @@ -191,6 +191,7 @@ spec: # Ephemeral containers not checked as it is not possible to set field. general_violation[{"msg": msg, "field": field}] { + input.parameters.cpu != "-1" container := input.review.object.spec[field][_] not is_exempt(container) cpu_orig := container.resources.limits.cpu @@ -221,6 +222,7 @@ spec: } general_violation[{"msg": msg, "field": field}] { + input.parameters.cpu != "-1" container := input.review.object.spec[field][_] not is_exempt(container) missing(container.resources.limits, "cpu") @@ -240,6 +242,7 @@ spec: cpu_orig := container.resources.limits.cpu cpu := canonify_cpu(cpu_orig) max_cpu_orig := input.parameters.cpu + max_cpu_orig != "-1" max_cpu := canonify_cpu(max_cpu_orig) cpu > max_cpu msg := sprintf("container <%v> cpu limit <%v> is higher than the maximum allowed of <%v>", [container.name, cpu_orig, max_cpu_orig]) diff --git a/charts/gatekeeper-library/templates/k8spspforbiddensysctls.yaml b/charts/gatekeeper-library/templates/k8spspforbiddensysctls.yaml index db5c1be..dea3eaa 100644 --- a/charts/gatekeeper-library/templates/k8spspforbiddensysctls.yaml +++ b/charts/gatekeeper-library/templates/k8spspforbiddensysctls.yaml @@ -4,7 +4,7 @@ metadata: annotations: description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ metadata.gatekeeper.sh/title: Forbidden Sysctls - metadata.gatekeeper.sh/version: 1.1.3 + metadata.gatekeeper.sh/version: 1.2.0 name: k8spspforbiddensysctls spec: crd: @@ -27,63 +27,109 @@ spec: type: array type: object targets: - - libs: - - | - package lib.exclude_update + - code: + - engine: K8sNativeValidation + source: + validations: + - expression: variables.isUpdate || size(variables.violatingSysctls) == 0 + messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString' + variables: + - expression: has(request.operation) && request.operation == "UPDATE" + name: isUpdate + - expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls' + name: sysctls + - expression: | + !has(variables.params.allowedSysctls) ? [] : variables.params.allowedSysctls.filter(sysctl, sysctl.endsWith("*")).map(sysctl, string(sysctl).replace("*", "")) + name: allowedSysctlPrefixes + - expression: "!has(variables.params.allowedSysctls) ? [] : \n variables.params.allowedSysctls.filter(sysctl, !sysctl.endsWith(\"*\"))\n" + name: allowedSysctlExplicit + - expression: | + !has(variables.params.forbiddenSysctls) ? [] : variables.params.forbiddenSysctls.filter(sysctl, sysctl.endsWith("*")).map(sysctl, string(sysctl).replace("*", "")) + name: forbiddenSysctlPrefixes + - expression: "!has(variables.params.forbiddenSysctls) ? [] : \n variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith(\"*\"))\n" + name: forbiddenSysctlExplicit + - expression: | + !has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ") + name: allowedSysctlsString + - expression: | + (variables.sysctls.filter(sysctl, + (sysctl.name in variables.forbiddenSysctlExplicit || + variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) || + (has(variables.params.allowedSysctls) && + !(sysctl.name in variables.allowedSysctlExplicit) && + !variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp))))) + name: violatingSysctls + - engine: Rego + source: + libs: + - | + package lib.exclude_update - is_update(review) { - review.operation == "UPDATE" - } - rego: | - package k8spspforbiddensysctls + is_update(review) { + review.operation == "UPDATE" + } + rego: | + package k8spspforbiddensysctls - import data.lib.exclude_update.is_update + import data.lib.exclude_update.is_update - # Block if forbidden - violation[{"msg": msg, "details": {}}] { - # spec.securityContext.sysctls field is immutable. - not is_update(input.review) + # Block if forbidden + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.sysctls field is immutable. + not is_update(input.review) - sysctl := input.review.object.spec.securityContext.sysctls[_].name - forbidden_sysctl(sysctl) - msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) - } + sysctl := input.review.object.spec.securityContext.sysctls[_].name + forbidden_sysctl(sysctl) + msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls]) + } - # Block if not explicitly allowed - violation[{"msg": msg, "details": {}}] { - not is_update(input.review) - sysctl := input.review.object.spec.securityContext.sysctls[_].name - not allowed_sysctl(sysctl) - msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls]) - } + # Block if not explicitly allowed + violation[{"msg": msg, "details": {}}] { + not is_update(input.review) + sysctl := input.review.object.spec.securityContext.sysctls[_].name + not allowed_sysctl(sysctl) + allowmsg := allowed_sysctl_string() + msg := sprintf("The sysctl %v is not explicitly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, allowmsg]) + } - # * may be used to forbid all sysctls - forbidden_sysctl(_) { - input.parameters.forbiddenSysctls[_] == "*" - } + # * may be used to forbid all sysctls + forbidden_sysctl(_) { + input.parameters.forbiddenSysctls[_] == "*" + } - forbidden_sysctl(sysctl) { - input.parameters.forbiddenSysctls[_] == sysctl - } + forbidden_sysctl(sysctl) { + input.parameters.forbiddenSysctls[_] == sysctl + } - forbidden_sysctl(sysctl) { - forbidden := input.parameters.forbiddenSysctls[_] - endswith(forbidden, "*") - startswith(sysctl, trim_suffix(forbidden, "*")) - } + forbidden_sysctl(sysctl) { + forbidden := input.parameters.forbiddenSysctls[_] + endswith(forbidden, "*") + startswith(sysctl, trim_suffix(forbidden, "*")) + } - # * may be used to allow all sysctls - allowed_sysctl(_) { - input.parameters.allowedSysctls[_] == "*" - } + # * may be used to allow all sysctls + allowed_sysctl(_) { + input.parameters.allowedSysctls[_] == "*" + } - allowed_sysctl(sysctl) { - input.parameters.allowedSysctls[_] == sysctl - } + allowed_sysctl(sysctl) { + input.parameters.allowedSysctls[_] == sysctl + } - allowed_sysctl(sysctl) { - allowed := input.parameters.allowedSysctls[_] - endswith(allowed, "*") - startswith(sysctl, trim_suffix(allowed, "*")) - } + allowed_sysctl(sysctl) { + allowed := input.parameters.allowedSysctls[_] + endswith(allowed, "*") + startswith(sysctl, trim_suffix(allowed, "*")) + } + + allowed_sysctl(_) { + not input.parameters.allowedSysctls + } + allowed_sysctl_string() = out { + not input.parameters.allowedSysctls + out = "unspecified" + } + allowed_sysctl_string() = out { + out = input.parameters.allowedSysctls + } target: admission.k8s.gatekeeper.sh diff --git a/charts/gatekeeper-library/templates/k8spspfsgroup.yaml b/charts/gatekeeper-library/templates/k8spspfsgroup.yaml index 623309d..3af774f 100644 --- a/charts/gatekeeper-library/templates/k8spspfsgroup.yaml +++ b/charts/gatekeeper-library/templates/k8spspfsgroup.yaml @@ -4,7 +4,7 @@ metadata: annotations: description: Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems metadata.gatekeeper.sh/title: FS Group - metadata.gatekeeper.sh/version: 1.0.2 + metadata.gatekeeper.sh/version: 1.1.0 name: k8spspfsgroup spec: crd: @@ -36,63 +36,85 @@ spec: type: string type: object targets: - - libs: - - | - package lib.exclude_update + - code: + - engine: K8sNativeValidation + source: + validations: + - expression: variables.isUpdate || variables.input_fsGroup_allowed + messageExpression: '"The provided pod spec fsGroup is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed fsGroup rule: " + variables.ruleString + ", allowed fsGroup ranges: " + variables.rangesString' + variables: + - expression: has(request.operation) && request.operation == "UPDATE" + name: isUpdate + - expression: '!has(variables.anyObject.spec.securityContext) ? "" : !has(variables.anyObject.spec.securityContext.fsGroup) ? "" : variables.anyObject.spec.securityContext.fsGroup' + name: fsGroup + - expression: | + !has(variables.params.rule) ? "unspecified" : string(variables.params.rule) + name: ruleString + - expression: | + !has(variables.params.ranges) ? "unspecified" : size(variables.params.ranges) == 0 ? "empty" : variables.params.ranges.map(r, string(r)).join(", ") + name: rangesString + - expression: | + !has(variables.params.rule) ? true : variables.params.rule == "RunAsAny" ? true : variables.params.rule == "MayRunAs" && variables.fsGroup == "" ? true : (variables.params.rule == "MayRunAs" || variables.params.rule == "MustRunAs") && has(variables.params.ranges) && size(variables.params.ranges) > 0 ? variables.params.ranges.exists(range, range.min <= variables.fsGroup && range.max >= variables.fsGroup) : false + name: input_fsGroup_allowed + - engine: Rego + source: + libs: + - | + package lib.exclude_update - is_update(review) { - review.operation == "UPDATE" - } - rego: | - package k8spspfsgroup + is_update(review) { + review.operation == "UPDATE" + } + rego: | + package k8spspfsgroup - import data.lib.exclude_update.is_update + import data.lib.exclude_update.is_update - violation[{"msg": msg, "details": {}}] { - # spec.securityContext.fsGroup field is immutable. - not is_update(input.review) + violation[{"msg": msg, "details": {}}] { + # spec.securityContext.fsGroup field is immutable. + not is_update(input.review) + has_field(input.parameters, "rule") + spec := input.review.object.spec + not input_fsGroup_allowed(spec) + msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) + } - spec := input.review.object.spec - not input_fsGroup_allowed(spec) - msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters]) - } - - input_fsGroup_allowed(_) { - # RunAsAny - No range is required. Allows any fsGroup ID to be specified. - input.parameters.rule == "RunAsAny" - } - input_fsGroup_allowed(spec) { - # MustRunAs - Validates pod spec fsgroup against all ranges - input.parameters.rule == "MustRunAs" - fg := spec.securityContext.fsGroup - count(input.parameters.ranges) > 0 - range := input.parameters.ranges[_] - value_within_range(range, fg) - } - input_fsGroup_allowed(spec) { - # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset - input.parameters.rule == "MayRunAs" - not has_field(spec, "securityContext") - } - input_fsGroup_allowed(spec) { - # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset - input.parameters.rule == "MayRunAs" - not spec.securityContext.fsGroup - } - input_fsGroup_allowed(spec) { - # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset - input.parameters.rule == "MayRunAs" - fg := spec.securityContext.fsGroup - count(input.parameters.ranges) > 0 - range := input.parameters.ranges[_] - value_within_range(range, fg) - } - value_within_range(range, value) { - range.min <= value - range.max >= value - } - # has_field returns whether an object has a field - has_field(object, field) = true { - object[field] - } + input_fsGroup_allowed(_) { + # RunAsAny - No range is required. Allows any fsGroup ID to be specified. + input.parameters.rule == "RunAsAny" + } + input_fsGroup_allowed(spec) { + # MustRunAs - Validates pod spec fsgroup against all ranges + input.parameters.rule == "MustRunAs" + fg := spec.securityContext.fsGroup + count(input.parameters.ranges) > 0 + range := input.parameters.ranges[_] + value_within_range(range, fg) + } + input_fsGroup_allowed(spec) { + # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset + input.parameters.rule == "MayRunAs" + not has_field(spec, "securityContext") + } + input_fsGroup_allowed(spec) { + # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset + input.parameters.rule == "MayRunAs" + not spec.securityContext.fsGroup + } + input_fsGroup_allowed(spec) { + # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset + input.parameters.rule == "MayRunAs" + fg := spec.securityContext.fsGroup + count(input.parameters.ranges) > 0 + range := input.parameters.ranges[_] + value_within_range(range, fg) + } + value_within_range(range, value) { + range.min <= value + range.max >= value + } + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } target: admission.k8s.gatekeeper.sh diff --git a/charts/gatekeeper-library/templates/k8spsphostnamespace.yaml b/charts/gatekeeper-library/templates/k8spsphostnamespace.yaml index 0405aae..aefc5a2 100644 --- a/charts/gatekeeper-library/templates/k8spsphostnamespace.yaml +++ b/charts/gatekeeper-library/templates/k8spsphostnamespace.yaml @@ -4,7 +4,7 @@ metadata: annotations: description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces metadata.gatekeeper.sh/title: Host Namespace - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 name: k8spsphostnamespace spec: crd: @@ -16,30 +16,48 @@ spec: description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces type: object targets: - - libs: - - | - package lib.exclude_update + - code: + - engine: K8sNativeValidation + source: + validations: + - expression: (has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace + messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.name' + variables: + - expression: | + has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostIPC : false + name: sharingHostIPC + - expression: | + has(variables.anyObject.spec.hostPID) ? variables.anyObject.spec.hostPID : false + name: sharingHostPID + - expression: | + variables.sharingHostIPC || variables.sharingHostPID + name: sharingNamespace + - engine: Rego + source: + libs: + - | + package lib.exclude_update - is_update(review) { - review.operation == "UPDATE" - } - rego: | - package k8spsphostnamespace + is_update(review) { + review.operation == "UPDATE" + } + rego: | + package k8spsphostnamespace - import data.lib.exclude_update.is_update + import data.lib.exclude_update.is_update - violation[{"msg": msg, "details": {}}] { - # spec.hostPID and spec.hostIPC fields are immutable. - not is_update(input.review) + violation[{"msg": msg, "details": {}}] { + # spec.hostPID and spec.hostIPC fields are immutable. + not is_update(input.review) - input_share_hostnamespace(input.review.object) - msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) - } + input_share_hostnamespace(input.review.object) + msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name]) + } - input_share_hostnamespace(o) { - o.spec.hostPID - } - input_share_hostnamespace(o) { - o.spec.hostIPC - } + input_share_hostnamespace(o) { + o.spec.hostPID + } + input_share_hostnamespace(o) { + o.spec.hostIPC + } target: admission.k8s.gatekeeper.sh diff --git a/charts/gatekeeper-library/templates/k8spspprocmount.yaml b/charts/gatekeeper-library/templates/k8spspprocmount.yaml index 6f4d861..dfe6b3a 100644 --- a/charts/gatekeeper-library/templates/k8spspprocmount.yaml +++ b/charts/gatekeeper-library/templates/k8spspprocmount.yaml @@ -4,7 +4,7 @@ metadata: annotations: description: Controls the allowed `procMount` types for the container. Corresponds to the `allowedProcMountTypes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes metadata.gatekeeper.sh/title: Proc Mount - metadata.gatekeeper.sh/version: 1.1.1 + metadata.gatekeeper.sh/version: 1.1.2 name: k8spspprocmount spec: crd: @@ -66,7 +66,7 @@ spec: !(container.image in variables.exemptImages) && !( (variables.allowedProcMount == "unmasked") || - (variables.allowedProcMount == "default" && has(container.securityContext) && has(container.securityContext.procMount) && container.securityContext.procMount.lowerAscii() == "default") + (variables.allowedProcMount == "default" && (!has(container.securityContext) || !has(container.securityContext.procMount) || container.securityContext.procMount == null || container.securityContext.procMount.lowerAscii() == "default")) ) ).map(container, "ProcMount type is not allowed, container: " + container.name +". Allowed procMount types: " + variables.allowedProcMount) name: badContainers @@ -126,15 +126,15 @@ spec: input_containers[c] { c := input.review.object.spec.containers[_] - c.securityContext.procMount + c.securityContext.procMount != null } input_containers[c] { c := input.review.object.spec.initContainers[_] - c.securityContext.procMount + c.securityContext.procMount != null } input_containers[c] { c := input.review.object.spec.ephemeralContainers[_] - c.securityContext.procMount + c.securityContext.procMount != null } get_allowed_proc_mount(arg) = out { diff --git a/charts/mailpit/Chart.yaml b/charts/mailpit/Chart.yaml index 772f457..86cfda4 100644 --- a/charts/mailpit/Chart.yaml +++ b/charts/mailpit/Chart.yaml @@ -3,8 +3,8 @@ name: mailpit description: An email and SMTP testing tool with API for developers icon: https://raw.githubusercontent.com/axllent/mailpit/develop/server/ui/mailpit.svg type: application -version: 0.22.3 -appVersion: 1.22.2 +version: 0.23.0 +appVersion: 1.23.1 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts diff --git a/charts/mailpit/values.yaml b/charts/mailpit/values.yaml index 18317ef..1117c40 100644 --- a/charts/mailpit/values.yaml +++ b/charts/mailpit/values.yaml @@ -34,7 +34,7 @@ global: image: registry: docker.io repository: axllent/mailpit - tag: v1.22.2 + tag: v1.23.1 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' diff --git a/charts/postgresql/Chart.yaml b/charts/postgresql/Chart.yaml index b12b266..d31279a 100644 --- a/charts/postgresql/Chart.yaml +++ b/charts/postgresql/Chart.yaml @@ -7,8 +7,8 @@ keywords: - database - postgresql - cloudnative-pg -version: 0.8.8 -appVersion: "16.3" +version: 0.8.9 +appVersion: "17.4" dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts diff --git a/charts/postgresql/values.yaml b/charts/postgresql/values.yaml index 9b66067..461480d 100644 --- a/charts/postgresql/values.yaml +++ b/charts/postgresql/values.yaml @@ -39,7 +39,7 @@ affinity: image: registry: ghcr.io repository: cloudnative-pg/postgresql - tag: 16.3-1 + tag: 17.4-3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'