convert block-ephemeral-containers to cel

Signed-off-by: Chandan-DK <[email protected]>
kyverno · Mar 20, 2024 · 9d45ca0 · 9d45ca0
1 parent 7252230
commit 9d45ca0
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 17 deletions.
diff --git a/other-cel/block-ephemeral-containers/artifacthub-pkg.yml b/other-cel/block-ephemeral-containers/artifacthub-pkg.yml
@@ -1,22 +1,23 @@
-name: block-ephemeral-containers
+name: block-ephemeral-containers-cel
 version: 1.0.0
-displayName: Block Ephemeral Containers
-createdAt: "2023-04-10T20:30:03.000Z"
+displayName: Block Ephemeral Containers in CEL expressions
 description: >-
   Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers.
 install: |-
   ```shell
-  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-ephemeral-containers/block-ephemeral-containers.yaml
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml
   ```
 keywords:
   - kyverno
   - Other
+  - CEL Expressions
 readme: |
   Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers.
   
   Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
 annotations:
-  kyverno/category: "Other"
-  kyverno/kubernetesVersion: "1.23"
+  kyverno/category: "Other in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: a49007b59da49fb5d9551a5d9874a091036d3413dfe263924645c64d2aa9d415
+digest: 13da34209be549d9904eb9142840242db2ae000b1935e8c3c84d23368886fab9
+createdAt: "2024-03-20T08:34:56Z"
diff --git a/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml b/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml
@@ -3,20 +3,20 @@ kind: ClusterPolicy
 metadata:
   name: block-ephemeral-containers
   annotations:
-    policies.kyverno.io/title: Block Ephemeral Containers
-    policies.kyverno.io/category: Other
+    policies.kyverno.io/title: Block Ephemeral Containers in CEL expressions
+    policies.kyverno.io/category: Other in CEL 
     policies.kyverno.io/severity: medium
-    kyverno.io/kyverno-version: 1.6.0
-    policies.kyverno.io/minversion: 1.6.0
-    kyverno.io/kubernetes-version: "1.23"
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the
       `kubectl debug` functionality and attach a temporary container to an existing Pod.
       This may potentially be used to gain access to unauthorized information executing inside
       one or more containers in that Pod. This policy blocks the use of ephemeral containers.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: block-ephemeral-containers
@@ -26,7 +26,8 @@ spec:
           kinds:
             - Pod
     validate:
-      message: "Ephemeral (debug) containers are not permitted."
-      pattern:
-        spec:
-          X(ephemeralContainers): "null"
+      cel:
+        expressions:
+          - expression: "!has(object.spec.ephemeralContainers)"
+            message: "Ephemeral (debug) containers are not permitted."
+