Skip to content

Add CEL code for PSP Policies in library #541

Open
Open
Add CEL code for PSP Policies in library#541
#547 (+9)
Assignees
sozercanritazhmaxsmytheJaydipGabani
@JaydipGabani

Description

@JaydipGabani
JaydipGabani
opened on Jun 3, 2024

To-Do list for each policy:

  • Add src.cel file for the policy under src/pod-security-policy/<name>/

  • Modify constraint.tmpl to add CEL engine and move rego under rego engine

  targets:
    - target: admission.k8s.gatekeeper.sh
      code: 
      - engine: K8sNativeValidation
        source:
{{ file.Read "src/pod-security-policy/<name>/src.cel" | strings.Indent 10 | strings.TrimSuffix "\n" }}
      - engine: Rego
        source:
          rego: |
{{ file.Read "src/pod-security-policy/<name>/src.rego" | strings.Indent 12 | strings.TrimSuffix "\n" }}
          libs:
            - |
{{ file.Read "src/pod-security-policy/<name>/lib_exempt_container.rego" | strings.Indent 14 | strings.TrimSuffix "\n" }}
  • Bump minor version on constraint.tmpl by updating metadata.gatekeeper.sh/version annotation.
  • Run make generate-all to generate all relavent files
  • Run make verify-gator-dockerized POLICY_ENGINE=cel && make verify-gator-dockerized POLICY_ENGINE=rego to test changes in local

PSP Policies list to track migration

  • validation/allow-privilege-escalation
  • validation/apparmor
  • validation/capabilities
  • validation/flexvolume-drivers
  • validation/forbidden-sysctls
  • validation/fsgroup
  • validation/host-filesystem
  • validation/host-namespaces
  • validation/host-network-ports
  • validation/privileged-containers
  • validation/proc-mount
  • validation/read-only-root-filesystem
  • validation/seccomp
  • validation/selinux
  • validation/users
  • validation/volumes

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions