From a06cbd95df9917e0aa08d13176f1ff29d956bead Mon Sep 17 00:00:00 2001 From: epasham Date: Thu, 26 Sep 2024 06:34:16 +0000 Subject: [PATCH 1/2] fix for issue 1166 Signed-off-by: epasham --- .../.chainsaw-test/good-pod.yaml | 18 ++++++++- .../artifacthub-pkg.yml | 2 +- .../require-drop-cap-net-raw.yaml | 37 ++++++++++--------- 3 files changed, 37 insertions(+), 20 deletions(-) diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml index 45be727bd..3133e2a27 100644 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml @@ -22,4 +22,20 @@ spec: securityContext: capabilities: drop: - - CAP_NET_RAW \ No newline at end of file + - CAP_NET_RAW +--- +apiVersion: v1 +kind: Pod +metadata: + name: drop-netraw-good +spec: + containers: + - args: + - sleep + - infinity + image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + securityContext: + capabilities: + drop: + - NET_RAW diff --git a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml index 3057417f0..469c8b22c 100644 --- a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml +++ b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 97e963f073e6324fa514015bc8fd8564b93fb7da6f8564fcf8a8fefc4c9da784 +digest: 594b30a84f36a2b46b723a4110d843f6099d7e7c17c82b70a91942c7081bb901 diff --git a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml index 68e92d525..80e3c955f 100644 --- a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml +++ b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml @@ -3,9 +3,10 @@ kind: ClusterPolicy metadata: name: drop-cap-net-raw annotations: - policies.kyverno.io/title: Drop CAP_NET_RAW - policies.kyverno.io/category: Best Practices - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/title: Drop CAP_NET_RAW in CEL expressions + policies.kyverno.io/category: Best Practices in CEL + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- @@ -25,19 +26,19 @@ spec: - resources: kinds: - Pod - preconditions: - all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: NotEquals - value: DELETE + operations: + - CREATE + - UPDATE validate: - message: >- - Containers must drop the `CAP_NET_RAW` capability. - foreach: - - list: request.object.spec.[ephemeralContainers, initContainers, containers][] - deny: - conditions: - all: - - key: CAP_NET_RAW - operator: AnyNotIn - value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" \ No newline at end of file + cel: + variables: + - name: mustDropCapabilities + expression: "['CAP_NET_RAW','NET_RAW']" + - name: allContainers + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" + expressions: + - expression: >- + variables.allContainers.all(container, + container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() in variables.mustDropCapabilities)) + message: >- + Containers must drop the `CAP_NET_RAW` capability. From 88b31a75d39ef3212e450c2e8e59f7ff86e97cd9 Mon Sep 17 00:00:00 2001 From: epasham Date: Fri, 27 Sep 2024 12:55:32 +0000 Subject: [PATCH 2/2] closes bug 1166 Signed-off-by: epasham --- .../artifacthub-pkg.yml | 2 +- .../require-drop-cap-net-raw.yaml | 40 ++++++++++--------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml index 469c8b22c..f3ee429f1 100644 --- a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml +++ b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 594b30a84f36a2b46b723a4110d843f6099d7e7c17c82b70a91942c7081bb901 +digest: 357011bf6ef0268a0ca1b248e0c7a59fc42e7f2017d02838c85711c329130676 diff --git a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml index 80e3c955f..c6615b546 100644 --- a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml +++ b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml @@ -3,10 +3,9 @@ kind: ClusterPolicy metadata: name: drop-cap-net-raw annotations: - policies.kyverno.io/title: Drop CAP_NET_RAW in CEL expressions - policies.kyverno.io/category: Best Practices in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/title: Drop CAP_NET_RAW + policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- @@ -26,19 +25,22 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE validate: - cel: - variables: - - name: mustDropCapabilities - expression: "['CAP_NET_RAW','NET_RAW']" - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - expressions: - - expression: >- - variables.allContainers.all(container, - container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() in variables.mustDropCapabilities)) - message: >- - Containers must drop the `CAP_NET_RAW` capability. + message: >- + Containers must drop the `CAP_NET_RAW` capability. + foreach: + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] + deny: + conditions: + all: + - key: CAP_NET_RAW + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" + - key: NET_RAW + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"