Comments (6)
JimBugwadia
commented on August 14, 2024
1
Hi @lavishpal - lets keep this as tracking issue, as there are many policies to update.
Can you select one of the sub-tasks instead?
#1090
#1091
#1092
#1093
#1094
#1095
#1096
#1097
#1098
#1099
#1100
from policies.
Chandan-DK
commented on August 14, 2024
cc @JimBugwadia @MariamFahmy98
from policies.
JimBugwadia
commented on August 14, 2024
So, using these techniques we can simply a policy like this:
validate:
cel:
expressions:
- expression: >-
(
(
has(object.spec.securityContext) &&
has(object.spec.securityContext.runAsNonRoot) &&
object.spec.securityContext.runAsNonRoot == true
) && (
(
object.spec.containers +
(has(object.spec.initContainers) ? object.spec.initContainers : []) +
(has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])
).all(container,
!has(container.securityContext) ||
!has(container.securityContext.runAsNonRoot) ||
container.securityContext.runAsNonRoot == true)
)
) || (
(
object.spec.containers +
(has(object.spec.initContainers) ? object.spec.initContainers : []) +
(has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])
).all(container,
has(container.securityContext) &&
has(container.securityContext.runAsNonRoot) &&
container.securityContext.runAsNonRoot == true)
)
to:
validate:
cel:
variables:
- name: ctnrs
expression: >-
object.spec.containers +
(has(object.spec.initContainers) ? object.spec.initContainers : []) +
(has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])
expressions:
- expression: >-
(object.spec.?securityContext.?runAsNonRoot.orValue(false) == true
&& variables.ctnrs.all(c, c.?securityContext.?runAsNonRoot.orValue(true) == true))
|| variables.ctnrs.all(c, c.?securityContext.?runAsNonRoot.orValue(false) == true)from policies.
Chandan-DK
commented on August 14, 2024
Here are some more examples of simplifying CEL expressions in policies using optionals:
Example 1
has(object.metadata.annotations) && 'pod.kubernetes.io/lifetime' in object.metadata.annotations
Can be written as
object.metadata.?annotations[?'pod.kubernetes.io/lifetime'].orValue(false)
Example 2
(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))
Can be written as:
object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])
Example 3
has(object.spec.template.metadata) && has(object.spec.template.metadata.labels) && 'foo' in object.spec.template.metadata.labels
Can be written as:
object.spec.template.?metadata.?labels.?foo.hasValue()
Example 4
has(object.metadata.labels) && 'corp.org/version' in object.metadata.labels && object.metadata.labels['corp.org/version'].matches('^v[0-9].[0-9].[0-9]$')
Can be written as:
object.metadata.?labels[?'corp.org/version'].orValue('default').matches('^v[0-9].[0-9].[0-9]$')
Example 5
!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.secret))
Can be written as:
object.spec.?volumes.orValue([]).all(volume, !has(volume.secret))
from policies.
lavishpal
commented on August 14, 2024
Hi @JimBugwadia , Could you assign this issue to me, it will be helpful if you provide guidance on how to get started?
from policies.
lavishpal
commented on August 14, 2024
@Chandan-DK , @JimBugwadia Can I raise the pr for all .
from policies.
Related Issues (20)
- [Enhancement]: Replace enforce/audit (deprecated) with Enforce/Audit on sample policies HOT 1
- [Bug] ClusterPolicy with PolicyException does not apply on subsequent updates
- Block Large Images
- [Sample] Mount volumes for ephemeral containers HOT 1
- disallow-capabilities: simplify CEL expressions
- disallow-host-namespaces: simplify CEL expressions
- disallow-host-path: simplify CEL expressions
- disallow-host-ports: simplify CEL expressions
- disallow-host-ports-range: simplify CEL expressions
- disallow-host-process: simplify CEL expressions
- disallow-privileged-containers: simplify CEL expressions HOT 3
- disallow-proc-mount: simplify CEL expressions HOT 2
- disallow-selinux: simplify CEL expressions
- restrict-seccomp: simplify CEL expressions
- restrict-sysctls: simplify CEL expressions
- All tested images to be stored in Kyverno org HOT 2
- Custom message not working in podSecurity subrule policy HOT 2
- [Bug] Generating network policy for existing namespace fails. As well as data template synchronization. HOT 3
- Refresh Environment Variables in Pods HOT 4
- [Bug] Kyverno verifyimage policy does'nt working correctly HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policies.