convert check-serviceaccount-secrets to cel

Signed-off-by: Chandan-DK <[email protected]>
kyverno · Mar 21, 2024 · ceece5c · ceece5c
1 parent 486cb1d
commit ceece5c
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 14 deletions.
diff --git a/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml b/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml
@@ -1,7 +1,6 @@
-name: check-serviceaccount-secrets
+name: check-serviceaccount-secrets-cel
 version: 1.0.0
-displayName: Check Existence of Secrets in ServiceAccount
-createdAt: "2024-03-02T06:14:33.000Z"
+displayName: Check Existence of Secrets in ServiceAccount in CEL expressions
 description: >-
   Before version 1.24, Kubernetes automatically generated Secret-based tokens 
   for ServiceAccounts. To distinguish between automatically generated tokens 
@@ -11,11 +10,12 @@ description: >-
   be of security concern and should be audited.
 install: |-
   ```shell
-  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml
   ```
 keywords:
   - kyverno
   - Sample
+  - CEL Expressions
 readme: |
   Before version 1.24, Kubernetes automatically generated Secret-based tokens 
   for ServiceAccounts. To distinguish between automatically generated tokens 
@@ -26,7 +26,8 @@ readme: |
   
   Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
 annotations:
-  kyverno/category: "Security"
-  kyverno/kubernetesVersion: "1.27"
+  kyverno/category: "Security in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Secret,ServiceAccount"
-digest: 43f9a02f3d13e172bbd0a24cae3747184c407f7df2b777247625906e851eff7e 
+digest: 8f7e2e179c7e7fe85cbc8cf05c0b7111301836260fc95f0c50cc35d1894a37c3
+createdAt: "2024-03-21T13:47:35Z" 
diff --git a/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml b/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml
@@ -3,11 +3,11 @@ kind: ClusterPolicy
 metadata:
   name: check-serviceaccount-secrets
   annotations:
-    policies.kyverno.io/title: Check Long-Lived Secrets in ServiceAccounts
-    policies.kyverno.io/category: Security
+    policies.kyverno.io/title: Check Long-Lived Secrets in ServiceAccounts in CEL expressions
+    policies.kyverno.io/category: Security in CEL 
     policies.kyverno.io/severity: medium
-    kyverno.io/kyverno-version: 1.11.1
-    kyverno.io/kubernetes-version: "1.27"
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
     policies.kyverno.io/subject: Secret,ServiceAccount
     policies.kyverno.io/description: >-
       Before version 1.24, Kubernetes automatically generated Secret-based tokens 
@@ -27,6 +27,7 @@ spec:
             kinds:
               - ServiceAccount
       validate:
-        message: "Long-lived API tokens are not allowed."
-        pattern:
-          X(secrets):
+        cel:
+          expressions:
+            - expression: "!has(object.secrets)"
+              message: "Long-lived API tokens are not allowed."