convert restrict-binding-system-groups to cel

Signed-off-by: Chandan-DK <[email protected]>
kyverno · Apr 12, 2024 · a97b039 · a97b039
1 parent 0e7f097
commit a97b039
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 42 deletions.
diff --git a/other-cel/restrict-binding-system-groups/artifacthub-pkg.yml b/other-cel/restrict-binding-system-groups/artifacthub-pkg.yml
@@ -1,23 +1,25 @@
-name: restrict-binding-system-groups
+name: restrict-binding-system-groups-cel
 version: 1.0.0
-displayName: Restrict Binding System Groups
-createdAt: "2023-04-10T20:30:06.000Z"
+displayName: Restrict Binding System Groups in CEL expressions
 description: >-
   Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings to some of these groups including system:anonymous, system:unauthenticated, and system:masters.
 install: |-
   ```shell
-  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-binding-system-groups/restrict-binding-system-groups.yaml
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml
   ```
 keywords:
   - kyverno
   - Security
   - EKS Best Practices
+  - CEL Expressions
 readme: |
   Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings to some of these groups including system:anonymous, system:unauthenticated, and system:masters.
   
   Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
 annotations:
-  kyverno/category: "Security, EKS Best Practices"
-  kyverno/kubernetesVersion: "1.23"
+  kyverno/category: "Security, EKS Best Practices in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC"
-digest: d0336a6276727ee78903d87ca14097913d5983b35566d3f47efbf72aa59f2f4d
+digest: 9843fd8b6e7357bc01ccbfcd3280bc3bc1d8baa5da4dce46c7d0125906a8efdc
+createdAt: "2024-04-12T16:28:28Z"
+
diff --git a/other-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/other-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml
@@ -3,56 +3,36 @@ kind: ClusterPolicy
 metadata:
   name: restrict-binding-system-groups
   annotations:
-    policies.kyverno.io/title: Restrict Binding System Groups
-    policies.kyverno.io/category: Security, EKS Best Practices
+    policies.kyverno.io/title: Restrict Binding System Groups in CEL expressions
+    policies.kyverno.io/category: Security, EKS Best Practices in CEL 
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC
-    kyverno.io/kyverno-version: 1.8.0
-    policies.kyverno.io/minversion: 1.6.0
-    kyverno.io/kubernetes-version: "1.23"
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
     policies.kyverno.io/description: >-
       Certain system groups exist in Kubernetes which grant permissions that
       are used for certain system-level functions yet typically never appropriate
       for other users. This policy prevents creating bindings to some of these
       groups including system:anonymous, system:unauthenticated, and system:masters.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
-    - name: restrict-anonymous
+    - name: restrict-subject-groups
       match:
         any:
         - resources:
             kinds:
               - RoleBinding
               - ClusterRoleBinding
       validate:
-        message: "Binding to system:anonymous is not allowed."
-        pattern:
-          subjects:
-            - name: "!system:anonymous"
-    - name: restrict-unauthenticated
-      match:
-        any:
-        - resources:
-            kinds:
-              - RoleBinding
-              - ClusterRoleBinding
-      validate:
-        message: "Binding to system:unauthenticated is not allowed."
-        pattern:
-          subjects:
-            - name: "!system:unauthenticated"
-    - name: restrict-masters
-      match:
-        any:
-        - resources:
-            kinds:
-              - RoleBinding
-              - ClusterRoleBinding
-      validate:
-        message: "Binding to system:masters is not allowed."
-        pattern:
-          subjects:
-            - name: "!system:masters"
+        cel:
+          expressions:
+            - expression: "object.subjects.all(subject, subject.name != 'system:anonymous')"
+              message: "Binding to system:anonymous is not allowed."
+            - expression: "object.subjects.all(subject, subject.name != 'system:unauthenticated')"
+              message: "Binding to system:unauthenticated is not allowed."
+            - expression: "object.subjects.all(subject, subject.name != 'system:masters')"
+              message: "Binding to system:masters is not allowed."