Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CEL code for PSP Policies in library #541

Closed
5 of 21 tasks
JaydipGabani opened this issue Jun 3, 2024 · 0 comments · Fixed by #535, #503, #542, #543 or #544
Closed
5 of 21 tasks

Add CEL code for PSP Policies in library #541

JaydipGabani opened this issue Jun 3, 2024 · 0 comments · Fixed by #535, #503, #542, #543 or #544
Assignees
@sozercan @ritazh @maxsmythe @JaydipGabani

Comments

@JaydipGabani
Copy link
Contributor

JaydipGabani commented Jun 3, 2024
edited by ritazh
Loading

To-Do list for each policy:

  • Add src.cel file for the policy under src/pod-security-policy/<name>/

  • Modify constraint.tmpl to add CEL engine and move rego under rego engine

  targets:
    - target: admission.k8s.gatekeeper.sh
      code: 
      - engine: K8sNativeValidation
        source:
{{ file.Read "src/pod-security-policy/<name>/src.cel" | strings.Indent 10 | strings.TrimSuffix "\n" }}
      - engine: Rego
        source:
          rego: |
{{ file.Read "src/pod-security-policy/<name>/src.rego" | strings.Indent 12 | strings.TrimSuffix "\n" }}
          libs:
            - |
{{ file.Read "src/pod-security-policy/<name>/lib_exempt_container.rego" | strings.Indent 14 | strings.TrimSuffix "\n" }}
  • Bump minor version on constraint.tmpl by updating metadata.gatekeeper.sh/version annotation.
  • Run make generate-all to generate all relavent files
  • Run make verify-gator-dockerized POLICY_ENGINE=cel && make verify-gator-dockerized POLICY_ENGINE=rego to test changes in local

PSP Policies list to track migration

  • validation/allow-privilege-escalation
  • validation/apparmor
  • validation/capabilities
  • validation/flexvolume-drivers
  • validation/forbidden-sysctls
  • validation/fsgroup
  • validation/host-filesystem
  • validation/host-namespaces
  • validation/host-network-ports
  • validation/privileged-containers
  • validation/proc-mount
  • validation/read-only-root-filesystem
  • validation/seccomp
  • validation/selinux
  • validation/users
  • validation/volumes
This was referenced Jun 3, 2024
Open
Open
Merged
Merged
Open
Open
Merged
@JaydipGabani JaydipGabani mentioned this issue Jun 3, 2024
Merged
JaydipGabani added a commit to JaydipGabani/gatekeeper-library that referenced this issue Jun 3, 2024
@JaydipGabani
chore: adding cel for psp-privileged-containers
7dba870 
Fixes open-policy-agent#541

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
This was referenced Jun 3, 2024
Merged
Merged
Merged
Open
Open
Open
@JaydipGabani JaydipGabani reopened this Jun 5, 2024
JaydipGabani added a commit that referenced this issue Jun 5, 2024
@JaydipGabani
chore: adding cel for psp-privileged-containers (#543)
4ad966c 
Fixes #541

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
@JaydipGabani JaydipGabani reopened this Jun 5, 2024
@JaydipGabani JaydipGabani mentioned this issue Jun 5, 2024
Merged
@sozercan sozercan reopened this Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sozercan sozercan

@ritazh ritazh

@maxsmythe maxsmythe

@JaydipGabani JaydipGabani

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add CEL to K8sPSPCapabilities template maxsmythe/gatekeeper-library
adding cel for allow-privilege-escalation maxsmythe/gatekeeper-library
chore: adding cel for psp-root-filesystem JaydipGabani/gatekeeper-library
chore: adding cel for psp-privileged-containers JaydipGabani/gatekeeper-library
chore: adding CEL for psp-host-network-ports policy JaydipGabani/gatekeeper-library
chore: adding CEL for psp-proc-mount policy JaydipGabani/gatekeeper-library
chore: adding CEL for psp-host-filesystem JaydipGabani/gatekeeper-library
chore: adding psp-users CEL policy JaydipGabani/gatekeeper-library
Add VAP-CEL to K8sPSPFlexVolumes maxsmythe/gatekeeper-library
chore: adding cel for psp/volume and psp/selinux JaydipGabani/gatekeeper-library
4 participants
@sozercan @ritazh @maxsmythe @JaydipGabani