search

XenitAB / gatekeeper-library

Collection of OPA Gatekeeper policies that can be used in your Kubernetes cluster.
MIT License
14 stars 7 forks source link

Add pathTests to container-drop-net-raw #65

Open NissesSenap opened 2 years ago

NissesSenap commented 2 years ago

Today the following yaml runs no matter what.

apiVersion: mutations.gatekeeper.sh/v1beta1
kind: Assign
metadata:
  name: container-drop-net-raw
spec:
  match:
    scope: Namespaced
    kinds:
      - apiGroups: ["*"]
        kinds: ["Pod"]
  applyTo:
    - groups: [""]
      versions: ["v1"]
      kinds: ["Pod"]
  location: "spec.containers[name:*].securityContext.capabilities.drop"
  parameters:
    assign:
      value:
        - NET_RAW

But what happens if the user provides a even better value, say all

This could be written something like 

apiVersion: mutations.gatekeeper.sh/v1beta1
kind: Assign
metadata:
  name: container-drop-net-raw
spec:
  match:
    scope: Namespaced
    kinds:
      - apiGroups: ["*"]
        kinds: ["Pod"]
  applyTo:
    - groups: [""]
      versions: ["v1"]
      kinds: ["Pod"]
  location: "spec.containers[name:*].securityContext.capabilities.drop"
  parameters:
    assign:
      value:
        - NET_RAW
    pathTests:
      - subPath: "spec.containers[name:*].securityContext.capabilities.drop[ALL]"
        condition: MustNotExist

I'm not sure on how the array should look like but something like this.