-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #36 from jouve/bump
Bump
- Loading branch information
Showing
47 changed files
with
886 additions
and
167 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
dependencies: | ||
- name: common | ||
repository: oci://registry-1.docker.io/bitnamicharts | ||
version: 2.13.3 | ||
digest: sha256:6fbdc8a525f6f9f98ec4ac5d11b049993f2e5800fd2f44b3abb3b00b74936ee0 | ||
generated: "2023-11-19T11:36:15.598318595+01:00" | ||
version: 2.14.1 | ||
digest: sha256:f6cbb5e3d033290dcd0145c6c1bd13aa2e0813f9267c2f5559e5469ae705c520 | ||
generated: "2024-01-04T13:50:47.629934+01:00" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
dependencies: | ||
- name: common | ||
repository: oci://registry-1.docker.io/bitnamicharts | ||
version: 2.13.3 | ||
digest: sha256:6fbdc8a525f6f9f98ec4ac5d11b049993f2e5800fd2f44b3abb3b00b74936ee0 | ||
generated: "2023-12-07T13:25:57.872831+01:00" | ||
version: 2.14.1 | ||
digest: sha256:f6cbb5e3d033290dcd0145c6c1bd13aa2e0813f9267c2f5559e5469ae705c520 | ||
generated: "2024-01-04T13:51:39.523897+01:00" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
dependencies: | ||
- name: common | ||
repository: oci://registry-1.docker.io/bitnamicharts | ||
version: 2.13.3 | ||
digest: sha256:6fbdc8a525f6f9f98ec4ac5d11b049993f2e5800fd2f44b3abb3b00b74936ee0 | ||
generated: "2023-11-19T11:36:25.992337465+01:00" | ||
version: 2.14.1 | ||
digest: sha256:f6cbb5e3d033290dcd0145c6c1bd13aa2e0813f9267c2f5559e5469ae705c520 | ||
generated: "2024-01-04T13:50:58.953035+01:00" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- github.com/open-policy-agent/gatekeeper-library/library?ref=0d95b7608c2ca835ba0418bd1199c3d8f6c9c6e1 | ||
- github.com/open-policy-agent/gatekeeper-library/library?ref=0b4836a00d7f6ab6a82fa3943e0f48eb07216293 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
81 changes: 81 additions & 0 deletions
81
charts/gatekeeper-library/templates/k8sdisallowinteractivetty.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
annotations: | ||
description: Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. | ||
metadata.gatekeeper.sh/title: Disallow Interactive TTY Containers | ||
metadata.gatekeeper.sh/version: 1.0.0 | ||
name: k8sdisallowinteractivetty | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sDisallowInteractiveTTY | ||
validation: | ||
openAPIV3Schema: | ||
description: Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and `stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`. | ||
properties: | ||
exemptImages: | ||
description: |- | ||
Any container that uses an image that matches an entry in this list will be excluded from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. | ||
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository. | ||
items: | ||
type: string | ||
type: array | ||
type: object | ||
targets: | ||
- libs: | ||
- | | ||
package lib.exempt_container | ||
is_exempt(container) { | ||
exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) | ||
img := container.image | ||
exemption := exempt_images[_] | ||
_matches_exemption(img, exemption) | ||
} | ||
_matches_exemption(img, exemption) { | ||
not endswith(exemption, "*") | ||
exemption == img | ||
} | ||
_matches_exemption(img, exemption) { | ||
endswith(exemption, "*") | ||
prefix := trim_suffix(exemption, "*") | ||
startswith(img, prefix) | ||
} | ||
rego: | | ||
package k8sdisallowinteractivetty | ||
import data.lib.exempt_container.is_exempt | ||
violation[{"msg": msg, "details": {}}] { | ||
c := input_containers[_] | ||
not is_exempt(c) | ||
input_allow_interactive_fields(c) | ||
msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image]) | ||
} | ||
input_allow_interactive_fields(c) { | ||
has_field(c, "stdin") | ||
not c.stdin == false | ||
} | ||
input_allow_interactive_fields(c) { | ||
has_field(c, "tty") | ||
not c.tty == false | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.containers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.ephemeralContainers[_] | ||
} | ||
input_containers[c] { | ||
c := input.review.object.spec.initContainers[_] | ||
} | ||
# has_field returns whether an object has a field | ||
has_field(object, field) = true { | ||
object[field] | ||
} | ||
target: admission.k8s.gatekeeper.sh |
Oops, something went wrong.