search

open-policy-agent / gatekeeper-library

📚 The OPA Gatekeeper policy library
https://open-policy-agent.github.io/gatekeeper-library
Apache License 2.0
647 stars 320 forks source link

Host networking constraint template does not respect exempt images #374

Closed g-psantos closed 10 months ago

g-psantos commented 1 year ago

The Host Networking Ports Constraint Template allows for a list of container images to be exempted from enforcement. However, the template fails to respect exempted images when checking whether the pod itself has hostNetwork: true.

This can be fixed by updating the template so that the first input_share_hostnetwork is false when all container images are found in the list of exempted images:

package k8spsphostnetworkingports

import data.lib.exempt_container.is_exempt
import future.keywords.every

violation[{"msg": msg, "details": {}}] {
    input_share_hostnetwork(input.review.object)
    msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters])
}

input_share_hostnetwork(o) {
    not all_containers_exempt  # Added this; there could well be a better way of achieving the same
    not input.parameters.hostNetwork
    o.spec.hostNetwork
}

input_share_hostnetwork(o) {
    hostPort := input_containers[_].ports[_].hostPort
    hostPort < input.parameters.min
}

input_share_hostnetwork(o) {
    hostPort := input_containers[_].ports[_].hostPort
    hostPort > input.parameters.max
}

all_containers_exempt {
    every c in _input_containers { is_exempt(c) }
}

input_containers[c] {
    c := _input_containers[_]
    not is_exempt(c)
}

_input_containers[c] {
    c := input.review.object.spec.containers[_]
}

_input_containers[c] {
    c := input.review.object.spec.initContainers[_]
}

_input_containers[c] {
    c := input.review.object.spec.ephemeralContainers[_]
}
stale[bot] commented 1 year ago

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] commented 11 months ago

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.