[gatekeeper-library] sync lib

charts/gatekeeper-library/Chart.yaml

@@ -3,8 +3,8 @@ name: gatekeeper-library
 description: A Helm chart for Kubernetes
 icon: https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/website/static/img/logo.svg
 type: application
-version: 0.1.4
-appVersion: 0d95b7608c2ca835ba0418bd1199c3d8f6c9c6e1
+version: 0.2.0
+appVersion: 0b4836a00d7f6ab6a82fa3943e0f48eb07216293
 sources:
   - https://github.com/jouve/charts
   - https://github.com/open-policy-agent/gatekeeper-library

charts/gatekeeper-library/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- github.com/open-policy-agent/gatekeeper-library/library?ref=0d95b7608c2ca835ba0418bd1199c3d8f6c9c6e1
+- github.com/open-policy-agent/gatekeeper-library/library?ref=0b4836a00d7f6ab6a82fa3943e0f48eb07216293

charts/gatekeeper-library/templates/k8sallowedrepos.yaml

@@ -4,7 +4,7 @@ metadata:
   annotations:
     description: Requires container images to begin with a string from the specified list.
     metadata.gatekeeper.sh/title: Allowed Repositories
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8sallowedrepos
 spec:
   crd:
@@ -26,22 +26,19 @@ spec:
 
         violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
-          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
-          not any(satisfied)
+          not strings.any_prefix_match(container.image, input.parameters.repos)
           msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
         }
 
         violation[{"msg": msg}] {
           container := input.review.object.spec.initContainers[_]
-          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
-          not any(satisfied)
+          not strings.any_prefix_match(container.image, input.parameters.repos)
           msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
         }
 
         violation[{"msg": msg}] {
           container := input.review.object.spec.ephemeralContainers[_]
-          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
-          not any(satisfied)
+          not strings.any_prefix_match(container.image, input.parameters.repos)
           msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
         }
       target: admission.k8s.gatekeeper.sh

charts/gatekeeper-library/templates/k8scontainerephemeralstoragelimit.yaml

@@ -6,7 +6,7 @@ metadata:
       Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.
       https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
     metadata.gatekeeper.sh/title: Container ephemeral storage limit
-    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/version: 1.0.2
   name: k8scontainerephemeralstoragelimit
 spec:
   crd:
@@ -166,7 +166,7 @@ spec:
           not is_number(orig)
           suffix := get_suffix(orig)
           raw := replace(orig, suffix, "")
-          re_match("^[0-9]+(\\.[0-9]+)?$", raw)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", raw)
           new := to_number(raw) * storage_multiple(suffix)
         }
 

charts/gatekeeper-library/templates/k8scontainerlimits.yaml

@@ -6,7 +6,7 @@ metadata:
       Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values.
       https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
     metadata.gatekeeper.sh/title: Container Limits
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8scontainerlimits
 spec:
   crd:
@@ -79,7 +79,7 @@ spec:
         canonify_cpu(orig) = new {
           not is_number(orig)
           not endswith(orig, "m")
-          re_match("^[0-9]+(\\.[0-9]+)?$", orig)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", orig)
           new := to_number(orig) * 1000
         }
 
@@ -176,7 +176,7 @@ spec:
           not is_number(orig)
           suffix := get_suffix(orig)
           raw := replace(orig, suffix, "")
-          re_match("^[0-9]+(\\.[0-9]+)?$", raw)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", raw)
           new := to_number(raw) * mem_multiple(suffix)
         }
 

charts/gatekeeper-library/templates/k8scontainerratios.yaml

@@ -6,7 +6,7 @@ metadata:
       Sets a maximum ratio for container resource limits to requests.
       https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
     metadata.gatekeeper.sh/title: Container Ratios
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8scontainerratios
 spec:
   crd:
@@ -79,14 +79,14 @@ spec:
         canonify_cpu(orig) = new {
           not is_number(orig)
           not endswith(orig, "m")
-          re_match("^[0-9]+$", orig)
+          regex.match("^[0-9]+$", orig)
           new := to_number(orig) * 1000
         }
 
         canonify_cpu(orig) = new {
           not is_number(orig)
           not endswith(orig, "m")
-          re_match("^[0-9]+[.][0-9]+$", orig)
+          regex.match("^[0-9]+[.][0-9]+$", orig)
           new := to_number(orig) * 1000
         }
 
@@ -183,7 +183,7 @@ spec:
           not is_number(orig)
           suffix := get_suffix(orig)
           raw := replace(orig, suffix, "")
-          re_match("^[0-9]+(\\.[0-9]+)?$", raw)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", raw)
           new := to_number(raw) * mem_multiple(suffix)
         }
 

charts/gatekeeper-library/templates/k8scontainerrequests.yaml

@@ -6,7 +6,7 @@ metadata:
       Requires containers to have memory and CPU requests set and constrains requests to be within the specified maximum values.
       https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
     metadata.gatekeeper.sh/title: Container Requests
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8scontainerrequests
 spec:
   crd:
@@ -79,7 +79,7 @@ spec:
         canonify_cpu(orig) = new {
           not is_number(orig)
           not endswith(orig, "m")
-          re_match("^[0-9]+(\\.[0-9]+)?$", orig)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", orig)
           new := to_number(orig) * 1000
         }
 
@@ -176,7 +176,7 @@ spec:
           not is_number(orig)
           suffix := get_suffix(orig)
           raw := replace(orig, suffix, "")
-          re_match("^[0-9]+(\\.[0-9]+)?$", raw)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", raw)
           new := to_number(raw) * mem_multiple(suffix)
         }
 

charts/gatekeeper-library/templates/k8sdisallowedtags.yaml

@@ -6,7 +6,7 @@ metadata:
       Requires container images to have an image tag different from the ones in the specified list.
       https://kubernetes.io/docs/concepts/containers/images/#image-names
     metadata.gatekeeper.sh/title: Disallow tags
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8sdisallowedtags
 spec:
   crd:
@@ -57,16 +57,15 @@ spec:
         violation[{"msg": msg}] {
             container := input_containers[_]
             not is_exempt(container)
-            tags := [forbid | tag = input.parameters.tags[_] ; forbid = endswith(container.image, concat(":", ["", tag]))]
-            any(tags)
+            tags := [tag_with_prefix | tag := input.parameters.tags[_]; tag_with_prefix := concat(":", ["", tag])]
+            strings.any_suffix_match(container.image, tags)
             msg := sprintf("container <%v> uses a disallowed tag <%v>; disallowed tags are %v", [container.name, container.image, input.parameters.tags])
         }
 
         violation[{"msg": msg}] {
             container := input_containers[_]
             not is_exempt(container)
-            tag := [contains(container.image, ":")]
-            not all(tag)
+            not contains(container.image, ":")
             msg := sprintf("container <%v> didn't specify an image tag <%v>", [container.name, container.image])
         }
 

charts/gatekeeper-library/templates/k8sdisallowinteractivetty.yaml

@@ -0,0 +1,81 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  annotations:
+    description: Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset.
+    metadata.gatekeeper.sh/title: Disallow Interactive TTY Containers
+    metadata.gatekeeper.sh/version: 1.0.0
+  name: k8sdisallowinteractivetty
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sDisallowInteractiveTTY
+      validation:
+        openAPIV3Schema:
+          description: Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and `stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`.
+          properties:
+            exemptImages:
+              description: |-
+                Any container that uses an image that matches an entry in this list will be excluded from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.
+              items:
+                type: string
+              type: array
+          type: object
+  targets:
+    - libs:
+        - |
+          package lib.exempt_container
+
+          is_exempt(container) {
+              exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+              img := container.image
+              exemption := exempt_images[_]
+              _matches_exemption(img, exemption)
+          }
+
+          _matches_exemption(img, exemption) {
+              not endswith(exemption, "*")
+              exemption == img
+          }
+
+          _matches_exemption(img, exemption) {
+              endswith(exemption, "*")
+              prefix := trim_suffix(exemption, "*")
+              startswith(img, prefix)
+          }
+      rego: |
+        package k8sdisallowinteractivetty
+
+        import data.lib.exempt_container.is_exempt
+
+        violation[{"msg": msg, "details": {}}] {
+            c := input_containers[_]
+            not is_exempt(c)
+            input_allow_interactive_fields(c)
+            msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image])
+        }
+
+        input_allow_interactive_fields(c) {
+            has_field(c, "stdin")
+            not c.stdin == false
+        }
+        input_allow_interactive_fields(c) {
+            has_field(c, "tty")
+            not c.tty == false
+        }
+        input_containers[c] {
+            c := input.review.object.spec.containers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.initContainers[_]
+        }
+        # has_field returns whether an object has a field
+        has_field(object, field) = true {
+            object[field]
+        }
+      target: admission.k8s.gatekeeper.sh

charts/gatekeeper-library/templates/k8shttpsonly.yaml

@@ -6,7 +6,7 @@ metadata:
       Requires Ingress resources to be HTTPS only.  Ingress resources must include the `kubernetes.io/ingress.allow-http` annotation, set to `false`. By default a valid TLS {} configuration is required, this can be made optional by setting the `tlsOptional` parameter to `true`.
       https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
     metadata.gatekeeper.sh/title: HTTPS Only
-    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/version: 1.0.2
   name: k8shttpsonly
 spec:
   crd:
@@ -27,19 +27,19 @@ spec:
 
         violation[{"msg": msg}] {
           input.review.object.kind == "Ingress"
-          re_match("^(extensions|networking.k8s.io)/", input.review.object.apiVersion)
+          regex.match("^(extensions|networking.k8s.io)/", input.review.object.apiVersion)
           ingress := input.review.object
           not https_complete(ingress)
-          not tls_is_optional(ingress)
+          not tls_is_optional
           msg := sprintf("Ingress should be https. tls configuration and allow-http=false annotation are required for %v", [ingress.metadata.name])
         }
 
         violation[{"msg": msg}] {
           input.review.object.kind == "Ingress"
-          re_match("^(extensions|networking.k8s.io)/", input.review.object.apiVersion)
+          regex.match("^(extensions|networking.k8s.io)/", input.review.object.apiVersion)
           ingress := input.review.object
           not annotation_complete(ingress)
-          not tls_not_optional(ingress)
+          tls_is_optional
           msg := sprintf("Ingress should be https. The allow-http=false annotation is required for %v", [ingress.metadata.name])
         }
 
@@ -53,16 +53,8 @@ spec:
           ingress.metadata.annotations["kubernetes.io/ingress.allow-http"] == "false"
         }
 
-        tls_is_optional(ingress) = true {
+        tls_is_optional {
           parameters := object.get(input, "parameters", {})
-          tlsOptional := object.get(parameters, "tlsOptional", false)
-          is_boolean(tlsOptional)
-          true == tlsOptional
-        }
-
-        tls_not_optional(ingress) = true {
-          parameters := object.get(input, "parameters", {})
-          tlsOptional := object.get(parameters, "tlsOptional", false)
-          true != tlsOptional
+          object.get(parameters, "tlsOptional", false) == true
         }
       target: admission.k8s.gatekeeper.sh

charts/gatekeeper-library/templates/k8simagedigests.yaml

@@ -6,7 +6,7 @@ metadata:
       Requires container images to contain a digest.
       https://kubernetes.io/docs/concepts/containers/images/
     metadata.gatekeeper.sh/title: Image Digests
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8simagedigests
 spec:
   crd:
@@ -57,24 +57,21 @@ spec:
         violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
           not is_exempt(container)
-          satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)]
-          not all(satisfied)
+          not regex.match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)
           msg := sprintf("container <%v> uses an image without a digest <%v>", [container.name, container.image])
         }
 
         violation[{"msg": msg}] {
           container := input.review.object.spec.initContainers[_]
           not is_exempt(container)
-          satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)]
-          not all(satisfied)
+          not regex.match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)
           msg := sprintf("initContainer <%v> uses an image without a digest <%v>", [container.name, container.image])
         }
 
         violation[{"msg": msg}] {
           container := input.review.object.spec.ephemeralContainers[_]
           not is_exempt(container)
-          satisfied := [re_match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)]
-          not all(satisfied)
+          not regex.match("@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+", container.image)
           msg := sprintf("ephemeralContainer <%v> uses an image without a digest <%v>", [container.name, container.image])
         }
       target: admission.k8s.gatekeeper.sh