Merge pull request #81 from XenitAB/ephemeral_container

Latest gatekeeper lib with ephemeral containers and removal of duplicate lib

.github/workflows/opa.yaml

@@ -43,7 +43,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v1
-    - name: Run OPA tests
-      uses: b4b4r07/action-opa@master
+      - name: Checkout
+        uses: actions/checkout@v1
+      - name: Run OPA tests
+        uses: b4b4r07/action-opa@master

charts/gatekeeper-library-constraints/generated/constraint-defaults.yaml

@@ -26,14 +26,6 @@ k8spodpriorityclass:
     kinds:
       - apiGroups: [""]
         kinds: ["Pod"]
-k8srequiredannotations:
-  match:
-    kinds:
-      - apiGroups: [""]
-        kinds: [""]
-  parameters:
-    message: "Resource does not contain the required annotation"
-    annotations: []
 k8srequireingressclass:
   match:
     kinds:
@@ -84,6 +76,11 @@ k8scontainerratios:
     kinds:
       - apiGroups: [""]
         kinds: ["Pod"]
+k8srequiredresources:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
 k8sdisallowanonymous:
   match:
     kinds:

charts/gatekeeper-library-templates/generated/k8sallowedrepos.yaml

@@ -38,3 +38,10 @@ spec:
           not any(satisfied)
           msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
         }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.ephemeralContainers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }

charts/gatekeeper-library-templates/generated/k8scontainerlimits.yaml

@@ -172,6 +172,8 @@ spec:
           general_violation[{"msg": msg, "field": "initContainers"}]
         }
 
+        # Ephemeral containers not checked as it is not possible to set field.
+
         general_violation[{"msg": msg, "field": field}] {
           container := input.review.object.spec[field][_]
           not is_exempt(container)

charts/gatekeeper-library-templates/generated/k8scontainerratios.yaml

@@ -182,6 +182,8 @@ spec:
           general_violation[{"msg": msg, "field": "initContainers"}]
         }
 
+        # Ephemeral containers not checked as it is not possible to set field.
+
         general_violation[{"msg": msg, "field": field}] {
           container := input.review.object.spec[field][_]
           not is_exempt(container)

charts/gatekeeper-library-templates/generated/k8scontainerrequests.yaml

@@ -172,6 +172,8 @@ spec:
           general_violation[{"msg": msg, "field": "initContainers"}]
         }
 
+        # Ephemeral containers not checked as it is not possible to set field.
+
         general_violation[{"msg": msg, "field": field}] {
           container := input.review.object.spec[field][_]
           not is_exempt(container)

charts/gatekeeper-library-templates/generated/k8sdisallowedtags.yaml

@@ -61,6 +61,9 @@ spec:
         input_containers[c] {
             c := input.review.object.spec.initContainers[_]
         }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
       libs:
         - |
           package lib.exempt_container

charts/gatekeeper-library-templates/generated/k8simagedigests.yaml

@@ -52,6 +52,14 @@ spec:
           not all(satisfied)
           msg := sprintf("initContainer <%v> uses an image without a digest <%v>", [container.name, container.image])
         }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.ephemeralContainers[_]
+          not is_exempt(container)
+          satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)]
+          not all(satisfied)
+          msg := sprintf("ephemeralContainer <%v> uses an image without a digest <%v>", [container.name, container.image])
+        }
       libs:
         - |
           package lib.exempt_container

charts/gatekeeper-library-templates/generated/k8spspallowedusers.yaml

@@ -254,6 +254,9 @@ spec:
         input_containers[c] {
           c := input.review.object.spec.initContainers[_]
         }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
       libs:
         - |
           package lib.exempt_container

charts/gatekeeper-library-templates/generated/k8spspallowprivilegeescalationcontainer.yaml

@@ -58,6 +58,9 @@ spec:
         input_containers[c] {
             c := input.review.object.spec.initContainers[_]
         }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
         # has_field returns whether an object has a field
         has_field(object, field) = true {
             object[field]

charts/gatekeeper-library-templates/generated/k8spspapparmor.yaml

@@ -63,6 +63,9 @@ spec:
         input_containers[c] {
             c := input.review.object.spec.initContainers[_]
         }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
 
         get_annotation_for(container, metadata) = out {
             out = metadata.annotations[sprintf("container.apparmor.security.beta.kubernetes.io/%v", [container.name])]

charts/gatekeeper-library-templates/generated/k8spspautomountserviceaccounttokenpod.yaml

@@ -45,6 +45,8 @@ spec:
             c := input.review.object.spec.initContainers[_]
         }
 
+        # Ephemeral containers not checked as it is not possible to set field.
+
         has_key(x, k) {
             _ = x[k]
         }

charts/gatekeeper-library-templates/generated/k8spspcapabilities.yaml

@@ -81,6 +81,22 @@ spec:
         }
 
 
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.ephemeralContainers[_]
+          not is_exempt(container)
+          has_disallowed_capabilities(container)
+          msg := sprintf("ephemeral container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.ephemeralContainers[_]
+          not is_exempt(container)
+          missing_drop_capabilities(container)
+          msg := sprintf("ephemeral container <%v> is not dropping all required capabilities. Container must drop all of %v or \"ALL\"", [container.name, input.parameters.requiredDropCapabilities])
+        }
+
+
         has_disallowed_capabilities(container) {
           allowed := {c | c := lower(input.parameters.allowedCapabilities[_])}
           not allowed["*"]

charts/gatekeeper-library-templates/generated/k8spsphostfilesystem.yaml

@@ -128,3 +128,7 @@ spec:
         input_containers[c] {
             c := input.review.object.spec.initContainers[_]
         }
+
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }

charts/gatekeeper-library-templates/generated/k8spsphostnetworkingports.yaml

@@ -78,6 +78,11 @@ spec:
             c := input.review.object.spec.initContainers[_]
             not is_exempt(c)
         }
+
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+            not is_exempt(c)
+        }
       libs:
         - |
           package lib.exempt_container

charts/gatekeeper-library-templates/generated/k8spspprivilegedcontainer.yaml

@@ -53,6 +53,10 @@ spec:
         input_containers[c] {
             c := input.review.object.spec.initContainers[_]
         }
+
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
       libs:
         - |
           package lib.exempt_container

charts/gatekeeper-library-templates/generated/k8spspprocmount.yaml

@@ -74,6 +74,10 @@ spec:
             c := input.review.object.spec.initContainers[_]
             c.securityContext.procMount
         }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+            c.securityContext.procMount
+        }
 
         get_allowed_proc_mount(arg) = out {
             not arg.parameters

charts/gatekeeper-library-templates/generated/k8spspreadonlyrootfilesystem.yaml

@@ -60,6 +60,9 @@ spec:
         input_containers[c] {
             c := input.review.object.spec.initContainers[_]
         }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
 
         # has_field returns whether an object has a field
         has_field(object, field) = true {

charts/gatekeeper-library-templates/generated/k8spspseccomp.yaml

@@ -252,6 +252,10 @@ spec:
         input_containers[container.name] = container {
             container := input.review.object.spec.initContainers[_]
         }
+
+        input_containers[container.name] = container {
+            container := input.review.object.spec.ephemeralContainers[_]
+        }
       libs:
         - |
           package lib.exempt_container

charts/gatekeeper-library-templates/generated/k8spspselinuxv2.yaml

@@ -97,6 +97,10 @@ spec:
             c := input.review.object.spec.initContainers[_]
             has_field(c.securityContext, "seLinuxOptions")
         }
+        input_security_context[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+            has_field(c.securityContext, "seLinuxOptions")
+        }
 
         # has_field returns whether an object has a field
         has_field(object, field) = true {