diff --git a/psp-privileged-containers/README.md b/psp-privileged-containers/README.md new file mode 100644 index 00000000..6ce7b1ef --- /dev/null +++ b/psp-privileged-containers/README.md @@ -0,0 +1,7 @@ +## Introduction + +`psp-privileged-containers` is a kcl PSP validation package. + +## Resource + +Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/psp-privileged-containers) diff --git a/psp-privileged-containers/kcl.mod b/psp-privileged-containers/kcl.mod new file mode 100644 index 00000000..77ae53a1 --- /dev/null +++ b/psp-privileged-containers/kcl.mod @@ -0,0 +1,5 @@ +[package] +name = "psp-privileged-containers" +version = "0.1.0" +description = "`psp-privileged-containers` is a kcl validation package" + diff --git a/psp-privileged-containers/kcl.mod.lock b/psp-privileged-containers/kcl.mod.lock new file mode 100644 index 00000000..e69de29b diff --git a/psp-privileged-containers/main.k b/psp-privileged-containers/main.k new file mode 100644 index 00000000..86f4a682 --- /dev/null +++ b/psp-privileged-containers/main.k @@ -0,0 +1,42 @@ +"""Controls the ability of any container to enable privileged mode. +Corresponds to the `privileged` field in a PodSecurityPolicy. For more +information, see +https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged +""" + +schema Params: + exemptImages?: [str] + +params: Params = option("params") +exemptImages: [str] = params?.exemptImages or [] + +is_exempt = lambda image: str -> bool { + result = False + if exemptImages: + result = any exempt_image in exemptImages { + (image.startswith(exempt_image.removesuffix("*")) if exempt_image.endswith("*") else exempt_image == image) + } + result +} + +violation = lambda container: {str:} { + msg = "only read-only root filesystem container is allowed: ${container.name}" + assert not container.securityContext?.privileged, msg + msg +} + +# Define the validation function +validate = lambda item: {str:} { + containers: [{str:}] = [] + if item.kind == "Pod": + containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or []) + elif item.kind == "Deployment": + containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or []) + if containers: + containers = [c for c in containers if not is_exempt(c.image)] + container_list_disallow = [c.name for c in containers if not violation(c)] + # Return the resource + item +} +# Validate All resource +items = [validate(i) for i in option("items")]