feat: add other policies in CEL expressions - Part 7

.github/workflows/test.yml

@@ -61,7 +61,7 @@ jobs:
           - ^other$/^res
           - ^other-cel$/^res
           - ^other$/^[s-z]
-          - ^other-cel$/^res
+          - ^other-cel$/^[s-z]
           - ^pod-security$
           - ^pod-security-cel$
           - ^psa$

other-cel/advanced-restrict-image-registries/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,48 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: advanced-restrict-image-registries
+spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../advanced-restrict-image-registries.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: advanced-restrict-image-registries
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ns-01.yaml
+    - apply:
+        file: ns-02.yaml
+    - apply:
+        file: cm.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pod-bad.yaml
+    - apply:
+        file: podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: podcontroller-bad.yaml

other-cel/advanced-restrict-image-registries/.chainsaw-test/cm.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  registries: ghcr.io/
+kind: ConfigMap
+metadata:
+  name: clusterregistries
+  namespace: default

other-cel/advanced-restrict-image-registries/.chainsaw-test/ns-01.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    corp.com/allowed-registries: img.corp.com/
+  name: imageregistries-ns01

other-cel/advanced-restrict-image-registries/.chainsaw-test/ns-02.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    corp.com/allowed-registries: docker.io/
+  name: imageregistries-ns02

other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml

@@ -0,0 +1,55 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+  namespace: imageregistries-ns01
+spec:
+  initContainers:
+  - name: busybox01-init
+    image: busybox:1.35
+  - name: busybox02-init
+    image: ghcr.io/busybox:1.35
+  containers:
+  - name: busybox01
+    image: ghcr.io/busybox:1.35
+  - name: busybox02
+    image: corp.img.io/busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod03
+  namespace: imageregistries-ns02
+spec:
+  initContainers:
+  - name: busybox01-init
+    image: corp.img.io/busybox:1.35
+  containers:
+  - name: busybox01
+    image: img.corp.com/busybox:1.35
+  - name: busybox02
+    image: docker.io/busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod04
+spec:
+  initContainers:
+  - name: busybox01-init
+    image: corp.img.io/busybox:1.35
+  containers:
+  - name: busybox01
+    image: ghcr.io/busybox:1.35
+  - name: busybox02
+    image: ghcr.io/busybox:1.35
+---

other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-good.yaml

@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+  namespace: imageregistries-ns01
+spec:
+  initContainers:
+  - name: busybox01-init
+    image: img.corp.com/busybox:1.35
+  # - name: busybox02-init
+  #   image: ghcr.io/busybox:1.35
+  containers:
+  # - name: busybox01
+  #   image: ghcr.io/busybox:1.35
+  - name: busybox02
+    image: img.corp.com/busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod02
+  namespace: imageregistries-ns02
+spec:
+  initContainers:
+  - name: busybox01-init
+    image: ghcr.io/busybox:1.35
+  containers:
+  - name: busybox01
+    image: docker.io/busybox:1.35
+  - name: busybox02
+    image: docker.io/busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod03
+spec:
+  initContainers:
+  - name: busybox01-init
+    image: ghcr.io/busybox:1.35
+  containers:
+  - name: busybox01
+    image: ghcr.io/busybox:1.35
+  - name: busybox02
+    image: ghcr.io/busybox:1.35

other-cel/advanced-restrict-image-registries/.chainsaw-test/podcontroller-bad.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: baddeploy01
+  namespace: imageregistries-ns01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      initContainers:
+      - name: busybox01-init
+        image: docker.io/busybox:1.35
+      - name: busybox02-init
+        image: ghcr.io/busybox:1.35
+      containers:
+      - name: busybox01
+        image: ghcr.io/busybox:1.35
+      - name: busybox02
+        image: corp.img.io/busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob01
+  namespace: imageregistries-ns02
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          initContainers:
+          - name: busybox01-init
+            image: docker.io/busybox:1.35
+          - name: busybox02-init
+            image: ghcr.io/busybox:1.35
+          containers:
+          - name: busybox01
+            image: ghcr.io/busybox:1.35
+          - name: busybox02
+            image: corp.img.io/busybox:1.35
+          restartPolicy: OnFailure

other-cel/advanced-restrict-image-registries/.chainsaw-test/podcontroller-good.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: gooddeploy01
+  namespace: imageregistries-ns01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      initContainers:
+      - name: busybox01-init
+        image: img.corp.com/busybox:1.35
+      - name: busybox02-init
+        image: ghcr.io/busybox:1.35
+      containers:
+      - name: busybox01
+        image: ghcr.io/busybox:1.35
+      - name: busybox02
+        image: img.corp.com/busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob01
+  namespace: imageregistries-ns02
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          initContainers:
+          - name: busybox01-init
+            image: docker.io/busybox:1.35
+          - name: busybox02-init
+            image: ghcr.io/busybox:1.35
+          containers:
+          - name: busybox01
+            image: ghcr.io/busybox:1.35
+          - name: busybox02
+            image: docker.io/busybox:1.35
+          restartPolicy: OnFailure

other-cel/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: advanced-restrict-image-registries
+status:
+  ready: true

other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml

@@ -0,0 +1,51 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: advanced-restrict-image-registries
+  annotations:
+    policies.kyverno.io/title: Advanced Restrict Image Registries in CEL expressions
+    policies.kyverno.io/category: Other in CEL 
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      In instances where a ClusterPolicy defines all the approved image registries
+      is insufficient, more granular control may be needed to set permitted registries,
+      especially in multi-tenant use cases where some registries may be based on
+      the Namespace. This policy shows an advanced version of the Restrict Image Registries
+      policy which gets a global approved registry from a ConfigMap and, based upon an
+      annotation at the Namespace level, gets the registry approved for that Namespace.
+spec:
+  validationFailureAction: Audit
+  background: false
+  rules:
+    - name: validate-corp-registries
+      match:
+        any:
+        - resources:
+            kinds:
+            - Pod
+      validate:
+        cel:
+          paramKind: 
+            apiVersion: v1
+            kind: ConfigMap
+          paramRef: 
+            name: clusterregistries
+            namespace: default
+            parameterNotFoundAction: Deny
+          variables:
+            - name: allContainers
+              expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
+            - name: nsregistries
+              expression: >-
+                (has(namespaceObject.metadata.annotations) && 'corp.com/allowed-registries' in namespaceObject.metadata.annotations) ?
+                namespaceObject.metadata.annotations['corp.com/allowed-registries'] : ' '
+            - name: clusterregistries
+              expression: "'registries' in params.data ? params.data['registries'] : ' '"
+          expressions:
+            - expression: "variables.allContainers.all(container, container.image.startsWith(variables.nsregistries) || container.image.startsWith(variables.clusterregistries))"
+              message: This Pod names an image that is not from an approved registry.
+

other-cel/advanced-restrict-image-registries/artifacthub-pkg.yml

@@ -0,0 +1,24 @@
+name: advanced-restrict-image-registries-cel
+version: 1.0.0
+displayName: Advanced Restrict Image Registries in CEL expressions
+description: >-
+  In instances where a ClusterPolicy defines all the approved image registries is insufficient, more granular control may be needed to set permitted registries, especially in multi-tenant use cases where some registries may be based on the Namespace. This policy shows an advanced version of the Restrict Image Registries policy which gets a global approved registry from a ConfigMap and, based upon an annotation at the Namespace level, gets the registry approved for that Namespace.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml
+  ```
+keywords:
+  - kyverno
+  - Other
+  - CEL Expressions
+readme: |
+  In instances where a ClusterPolicy defines all the approved image registries is insufficient, more granular control may be needed to set permitted registries, especially in multi-tenant use cases where some registries may be based on the Namespace. This policy shows an advanced version of the Restrict Image Registries policy which gets a global approved registry from a ConfigMap and, based upon an annotation at the Namespace level, gets the registry approved for that Namespace.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Other in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Pod"
+digest: 53c660479027b9a7292871024ae9bcec7509e114553837b4027e29830d76ae04
+createdAt: "2024-04-21T11:03:06Z"
+