From 9d45ca08b5196c87b0a08e8a49a61a0e29c135d9 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 20 Mar 2024 08:35:27 +0000 Subject: [PATCH] convert block-ephemeral-containers to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++------- .../block-ephemeral-containers.yaml | 21 ++++++++++--------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/other-cel/block-ephemeral-containers/artifacthub-pkg.yml b/other-cel/block-ephemeral-containers/artifacthub-pkg.yml index cc77acc0c..6457e474a 100644 --- a/other-cel/block-ephemeral-containers/artifacthub-pkg.yml +++ b/other-cel/block-ephemeral-containers/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: block-ephemeral-containers +name: block-ephemeral-containers-cel version: 1.0.0 -displayName: Block Ephemeral Containers -createdAt: "2023-04-10T20:30:03.000Z" +displayName: Block Ephemeral Containers in CEL expressions description: >- Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-ephemeral-containers/block-ephemeral-containers.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: a49007b59da49fb5d9551a5d9874a091036d3413dfe263924645c64d2aa9d415 +digest: 13da34209be549d9904eb9142840242db2ae000b1935e8c3c84d23368886fab9 +createdAt: "2024-03-20T08:34:56Z" diff --git a/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml b/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml index ee7ae46dd..a9223784c 100644 --- a/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml +++ b/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: block-ephemeral-containers annotations: - policies.kyverno.io/title: Block Ephemeral Containers - policies.kyverno.io/category: Other + policies.kyverno.io/title: Block Ephemeral Containers in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the @@ -16,7 +16,7 @@ metadata: This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: block-ephemeral-containers @@ -26,7 +26,8 @@ spec: kinds: - Pod validate: - message: "Ephemeral (debug) containers are not permitted." - pattern: - spec: - X(ephemeralContainers): "null" \ No newline at end of file + cel: + expressions: + - expression: "!has(object.spec.ephemeralContainers)" + message: "Ephemeral (debug) containers are not permitted." +