From cd42dbf1ca2c4ceb9065572f9f2df9ec6cf97cee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 21 Mar 2023 12:40:10 +0100 Subject: [PATCH 1/5] feat: Add `make artifacthub-pkg.yml` target MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- Makefile | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 417e155..b5ef069 100644 --- a/Makefile +++ b/Makefile @@ -1,11 +1,16 @@ SOURCE_FILES := $(shell test -e src/ && find src -type f) +VERSION := $(shell sed --posix -n 's,^version = \"\(.*\)\",\1,p' Cargo.toml) policy.wasm: $(SOURCE_FILES) Cargo.* cargo build --target=wasm32-wasi --release cp target/wasm32-wasi/release/*.wasm policy.wasm -annotated-policy.wasm: policy.wasm metadata.yml - kwctl annotate -m metadata.yml -o annotated-policy.wasm policy.wasm +artifacthub-pkg.yml: metadata.yml Cargo.toml + kwctl scaffold artifacthub --metadata-path metadata.yml --version $(VERSION) \ + --output artifacthub-pkg.yml + +annotated-policy.wasm: policy.wasm metadata.yml artifacthub-pkg.yml + kwctl annotate -m metadata.yml -u README.md -o annotated-policy.wasm policy.wasm .PHONY: fmt fmt: @@ -26,4 +31,4 @@ test: fmt lint .PHONY: clean clean: cargo clean - rm -f policy.wasm annotated-policy.wasm + rm -f policy.wasm annotated-policy.wasm artifacthub-pkg.yml From ddc580f9f1afac508053aac49c8bb94d9f38ad96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 21 Mar 2023 12:40:33 +0100 Subject: [PATCH 2/5] build: Bump version to 0.2.5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- Cargo.lock | 2 +- Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index dcf07ad..9dbdf70 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -417,7 +417,7 @@ checksum = "478c572c3d73181ff3c2539045f6eb99e5491218eae919370993b890cdbdd98e" [[package]] name = "pod-privileged-policy" -version = "0.2.4" +version = "0.2.5" dependencies = [ "anyhow", "k8s-openapi", diff --git a/Cargo.toml b/Cargo.toml index 15c6423..c7f8845 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "pod-privileged-policy" -version = "0.2.4" +version = "0.2.5" authors = ["José Guilherme Vanz "] edition = "2021" From 1f9fd5989a692cecf1489ae5017ea100a15637d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 21 Mar 2023 12:41:15 +0100 Subject: [PATCH 3/5] chore: Refresh metadata.yml, recreate artifacthub-pkg.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- artifacthub-pkg.yml | 82 +++++++++++++++++++++++++++++++------------- metadata.yml | 83 +++++---------------------------------------- 2 files changed, 67 insertions(+), 98 deletions(-) diff --git a/artifacthub-pkg.yml b/artifacthub-pkg.yml index 79b530e..25e32cc 100644 --- a/artifacthub-pkg.yml +++ b/artifacthub-pkg.yml @@ -1,14 +1,19 @@ ---- -version: 0.2.4 +# Kubewarden Artifacthub Package config +# +# Use this config to submit the policy to https://artifacthub.io. +# +# This config can be saved to its default location with: +# kwctl scaffold artifacthub > artifacthub-pkg.yml +version: 0.2.5 name: pod-privileged-policy displayName: Pod Privileged Policy -createdAt: '2023-02-06T14:46:21+02:00' +createdAt: 2023-03-21T11:39:45.702098839Z description: Limit the ability to create privileged containers license: Apache-2.0 homeURL: https://github.com/kubewarden/pod-privileged-policy containersImages: - name: policy - image: ghcr.io/kubewarden/policies/pod-privileged:v0.2.4 + image: ghcr.io/kubewarden/policies/pod-privileged:v0.2.5 keywords: - psp - pod @@ -16,32 +21,61 @@ keywords: - privileged links: - name: policy - url: https://github.com/kubewarden/pod-privileged-policy/releases/download/v0.2.4/policy.wasm + url: https://github.com/kubewarden/pod-privileged-policy/releases/download/v0.2.5/policy.wasm - name: source url: https://github.com/kubewarden/pod-privileged-policy +install: | + The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl): + ```console + kwctl pull ghcr.io/kubewarden/policies/pod-privileged:v0.2.5 + ``` +maintainers: +- name: Kubewarden developers + email: cncf-kubewarden-maintainers@lists.cncf.io provider: name: kubewarden recommendations: - url: https://artifacthub.io/packages/helm/kubewarden/kubewarden-controller annotations: + kubewarden/mutation: 'false' kubewarden/resources: Pod - kubewarden/mutation: false - kubewarden/contextAware: false kubewarden/rules: | - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: ["CREATE"] # kubernetes doesn't allow to add/remove privileged containers to an already running pod - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["replicationcontrollers"] - operations: ["CREATE", "UPDATE"] - - apiGroups: ["apps"] - apiVersions: ["v1"] - resources: ["deployments","replicasets","statefulsets","daemonsets"] - operations: ["CREATE", "UPDATE"] - - apiGroups: ["batch"] - apiVersions: ["v1"] - resources: ["jobs","cronjobs"] - operations: ["CREATE", "UPDATE"] + - apiGroups: + - '' + apiVersions: + - v1 + resources: + - pods + operations: + - CREATE + - apiGroups: + - '' + apiVersions: + - v1 + resources: + - replicationcontrollers + operations: + - CREATE + - UPDATE + - apiGroups: + - apps + apiVersions: + - v1 + resources: + - deployments + - replicasets + - statefulsets + - daemonsets + operations: + - CREATE + - UPDATE + - apiGroups: + - batch + apiVersions: + - v1 + resources: + - jobs + - cronjobs + operations: + - CREATE + - UPDATE diff --git a/metadata.yml b/metadata.yml index 9808020..00fda3f 100644 --- a/metadata.yml +++ b/metadata.yml @@ -18,81 +18,16 @@ rules: mutating: false contextAware: false annotations: - io.kubewarden.policy.title: pod-privileged + # artifacthub specific + io.artifacthub.displayName: Pod Privileged Policy + io.artifacthub.resources: Pod + io.artifacthub.keywords: psp, pod, container, privileged + io.kubewarden.policy.ociUrl: ghcr.io/kubewarden/policies/pod-privileged + # io.kubewarden.hidden-ui: "true" + # rest + io.kubewarden.policy.title: pod-privileged-policy io.kubewarden.policy.description: Limit the ability to create privileged containers - io.kubewarden.policy.author: Flavio Castelli + io.kubewarden.policy.author: "Kubewarden developers " io.kubewarden.policy.url: https://github.com/kubewarden/pod-privileged-policy io.kubewarden.policy.source: https://github.com/kubewarden/pod-privileged-policy io.kubewarden.policy.license: Apache-2.0 - io.kubewarden.policy.usage: | - Given the following scenario: - - > As an operator of a Kubernetes cluster used by multiple users, - > I want to have tight control over who can schedule privileged containers. - - Kubernetes containers can be run in privileged mode by providing a well crafted - [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). - - Cluster administrators can prevent regular users to create privileged containers - by using a Kubernetes built-in feature called [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). - - However, Pod Security Polices are going to be [deprecated](https://github.com/kubernetes/enhancements/issues/5) - in the near future. - - Pod Security Policies could be replaced by using policies provided by an - external Admission Controller, like Kubewarden. - - This policy inspects the [AdmissionReview](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#request) - objects generated by the Kubernetes API server and either accept or reject them. - - The policy can be used to inspect `CREATE` and `UPDATE` requests of `Pod` resources. - It will reject any pod with containers, init container or ephemeral containers - configured as privileged in their [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). - - # Settings - - This policy has no configurable settings. - - The user is responsible to configure the policy defining the resources targeted - by the policy. Otherwise, the policy will not be able to run. The current supported - resources are listed in the metadata.yml file. See more information about how to - configure a policy in the [Kubewarden documentation](https://docs.kubewarden.io/). - - # Examples - - The following Pod specification doesn't have any security context defined: - - ```yaml - apiVersion: v1 - kind: Pod - metadata: - name: nginx - spec: - containers: - - name: nginx - image: nginx - imagePullPolicy: IfNotPresent - ``` - - This workload can be scheduled by all the users of the cluster. - - This Pod specification has one of its containers running in - privileged mode and it will be rejected by the policy: - - ```yaml - apiVersion: v1 - kind: Pod - metadata: - name: nginx - spec: - runtimeClassName: containerd-runc - containers: - - name: nginx - image: nginx - imagePullPolicy: IfNotPresent - securityContext: - privileged: true - - name: sleeping-sidecar - image: alpine - command: ["sleep", "1h"] - ``` From fb7038e46e76ae392cf87a62ea976c79b07565b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 21 Mar 2023 12:41:33 +0100 Subject: [PATCH 4/5] ci: Consume github-actions@v2.0.5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- .github/workflows/release.yml | 12 +++----- .github/workflows/test.yml | 57 ++--------------------------------- 2 files changed, 7 insertions(+), 62 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7efd0a9..cfba977 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,7 +2,6 @@ on: push: branches: - main - - master tags: - 'v*' @@ -12,19 +11,18 @@ jobs: test: name: run tests and linters - uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v1 + uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v2.0.4 release: needs: test permissions: - # Required to create GH release + # Required to create GH releases contents: write - # Required to push to ghcr.io + # Required to push to GHCR packages: write # Required by cosign keyless signing id-token: write - uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v1 + uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v2.0.4 with: - input-wasm: pod_privileged_policy - oci-target: ghcr.io/kubewarden/policies/pod-privileged + oci-target: ghcr.io/${{ github.repository_owner }}/policies/pod-privileged diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ff279d4..db296b1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,59 +1,6 @@ on: [push, pull_request] name: Continuous integration jobs: - check: - name: Check - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - uses: actions-rs/cargo@v1 - with: - command: check test: - name: Test Suite - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - uses: actions-rs/cargo@v1 - with: - command: test - fmt: - name: Rustfmt - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - run: rustup component add rustfmt - - uses: actions-rs/cargo@v1 - with: - command: fmt - args: --all -- --check - clippy: - name: Clippy - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - run: rustup component add clippy - - uses: actions-rs/cargo@v1 - with: - command: clippy - args: -- -D warnings + name: run tests and linters + uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v2.0.5 From 68443b4a22a5ca229089862076bfb868b1f06610 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Fri, 24 Mar 2023 15:20:25 +0100 Subject: [PATCH 5/5] ci: Consume v3.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- .github/workflows/release.yml | 4 ++-- .github/workflows/test.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cfba977..b72110e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ jobs: test: name: run tests and linters - uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v2.0.4 + uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v3.1.0 release: needs: test @@ -23,6 +23,6 @@ jobs: # Required by cosign keyless signing id-token: write - uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v2.0.4 + uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v3.1.0 with: oci-target: ghcr.io/${{ github.repository_owner }}/policies/pod-privileged diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index db296b1..cbd78bd 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -3,4 +3,4 @@ name: Continuous integration jobs: test: name: run tests and linters - uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v2.0.5 + uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v3.1.0