From 0f9ada167ae7347e7f6db4b64ce4c0d827211fa6 Mon Sep 17 00:00:00 2001
From: peefy <xpf6677@163.com>
Date: Tue, 5 Dec 2023 16:41:58 +0800
Subject: [PATCH] feat: publish more modules

Signed-off-by: peefy <xpf6677@163.com>
---
 add-privileged-existing-namespaces/README.md  |  7 +++++++
 add-privileged-existing-namespaces/kcl.mod    |  4 ++++
 add-privileged-existing-namespaces/main.k     |  8 ++++++++
 deny-privileged-profile/README.md             |  7 +++++++
 deny-privileged-profile/kcl.mod               |  4 ++++
 deny-privileged-profile/main.k                | 10 ++++++++++
 psp-restrict-adding-capabilities/README.md    |  7 +++++++
 psp-restrict-adding-capabilities/kcl.mod      |  5 +++++
 psp-restrict-adding-capabilities/kcl.mod.lock |  1 +
 psp-restrict-adding-capabilities/main.k       | 19 +++++++++++++++++++
 .../README.md                                 |  7 +++++++
 .../kcl.mod                                   |  4 ++++
 .../main.k                                    | 15 +++++++++++++++
 .../README.md                                 |  4 +++-
 .../kcl.mod                                   |  2 +-
 15 files changed, 102 insertions(+), 2 deletions(-)
 create mode 100644 add-privileged-existing-namespaces/README.md
 create mode 100644 add-privileged-existing-namespaces/kcl.mod
 create mode 100644 add-privileged-existing-namespaces/main.k
 create mode 100644 deny-privileged-profile/README.md
 create mode 100644 deny-privileged-profile/kcl.mod
 create mode 100644 deny-privileged-profile/main.k
 create mode 100644 psp-restrict-adding-capabilities/README.md
 create mode 100644 psp-restrict-adding-capabilities/kcl.mod
 create mode 100644 psp-restrict-adding-capabilities/kcl.mod.lock
 create mode 100644 psp-restrict-adding-capabilities/main.k
 create mode 100644 svc-require-encryption-aws-load-balancers/README.md
 create mode 100644 svc-require-encryption-aws-load-balancers/kcl.mod
 create mode 100644 svc-require-encryption-aws-load-balancers/main.k

diff --git a/add-privileged-existing-namespaces/README.md b/add-privileged-existing-namespaces/README.md
new file mode 100644
index 00000000..fed160a7
--- /dev/null
+++ b/add-privileged-existing-namespaces/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`add-privileged-existing-namespaces` is a KCL mutation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/add-privileged-existing-namespaces)
diff --git a/add-privileged-existing-namespaces/kcl.mod b/add-privileged-existing-namespaces/kcl.mod
new file mode 100644
index 00000000..1caaba55
--- /dev/null
+++ b/add-privileged-existing-namespaces/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "add-privileged-existing-namespaces"
+version = "0.1.0"
+description = "`add-privileged-existing-namespaces` is a KCL mutation module"
diff --git a/add-privileged-existing-namespaces/main.k b/add-privileged-existing-namespaces/main.k
new file mode 100644
index 00000000..9d4e51fd
--- /dev/null
+++ b/add-privileged-existing-namespaces/main.k
@@ -0,0 +1,8 @@
+params = option("params") or {}
+names: [str] = params.names or []
+items = [item | {
+    if item.kind == "Namespace" and item.metadata.name != "kube-system":
+        metadata.labels: {
+            "pod-security.kubernetes.io/enforce": "privileged"
+        }
+} for item in option("items") or []]
diff --git a/deny-privileged-profile/README.md b/deny-privileged-profile/README.md
new file mode 100644
index 00000000..ae03ff03
--- /dev/null
+++ b/deny-privileged-profile/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`deny-privileged-profile` is a KCL validation package
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/deny-privileged-profile)
diff --git a/deny-privileged-profile/kcl.mod b/deny-privileged-profile/kcl.mod
new file mode 100644
index 00000000..b1bad21b
--- /dev/null
+++ b/deny-privileged-profile/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "deny-privileged-profile"
+version = "0.1.1"
+description = "`deny-privileged-profile` is a KCL validation package"
diff --git a/deny-privileged-profile/main.k b/deny-privileged-profile/main.k
new file mode 100644
index 00000000..39726798
--- /dev/null
+++ b/deny-privileged-profile/main.k
@@ -0,0 +1,10 @@
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Namespace":
+        assert item.metadata?.labels?["pod-security.kubernetes.io/enforce"] != "privileged", "Only cluster-admins may create Namespaces that allow setting the privileged level."
+    item
+}
+
+# Validate All resource
+items = [validate(i) for i in option("items") or []]
diff --git a/psp-restrict-adding-capabilities/README.md b/psp-restrict-adding-capabilities/README.md
new file mode 100644
index 00000000..0c825785
--- /dev/null
+++ b/psp-restrict-adding-capabilities/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`psp-restrict-adding-capabilities` is a KCL PSP validation package. 
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/psp-restrict-adding-capabilities)
diff --git a/psp-restrict-adding-capabilities/kcl.mod b/psp-restrict-adding-capabilities/kcl.mod
new file mode 100644
index 00000000..871d1911
--- /dev/null
+++ b/psp-restrict-adding-capabilities/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "psp-restrict-adding-capabilities"
+version = "0.0.1"
+description = "`psp-restrict-adding-capabilities` is a kcl validation package"
+
diff --git a/psp-restrict-adding-capabilities/kcl.mod.lock b/psp-restrict-adding-capabilities/kcl.mod.lock
new file mode 100644
index 00000000..3e7608b4
--- /dev/null
+++ b/psp-restrict-adding-capabilities/kcl.mod.lock
@@ -0,0 +1 @@
+·
\ No newline at end of file
diff --git a/psp-restrict-adding-capabilities/main.k b/psp-restrict-adding-capabilities/main.k
new file mode 100644
index 00000000..ed42d290
--- /dev/null
+++ b/psp-restrict-adding-capabilities/main.k
@@ -0,0 +1,19 @@
+schema Params:
+    capabilities: [str] = ["NET_BIND_SERVICE", "CAP_CHOWN"]
+
+params: Params = option("params") or Params {}
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.phemeralContainers or []) + (item.spec.initContainers or [])
+        assert all c in containers {
+            all c in c.securityContext.capabilities.add {
+                c not in params.capabilities
+            }
+        }, "Any capabilities added other than ${params.capabilities} are disallowed."
+    # Return the resource
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]
diff --git a/svc-require-encryption-aws-load-balancers/README.md b/svc-require-encryption-aws-load-balancers/README.md
new file mode 100644
index 00000000..638f703a
--- /dev/null
+++ b/svc-require-encryption-aws-load-balancers/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`svc-require-encryption-aws-load-balancers` is a KCL validation package
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/svc-require-encryption-aws-load-balancers)
diff --git a/svc-require-encryption-aws-load-balancers/kcl.mod b/svc-require-encryption-aws-load-balancers/kcl.mod
new file mode 100644
index 00000000..892dd6bd
--- /dev/null
+++ b/svc-require-encryption-aws-load-balancers/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "svc-require-encryption-aws-load-balancers"
+version = "0.1.1"
+description = "`svc-require-encryption-aws-load-balancers` is a KCL validation package"
diff --git a/svc-require-encryption-aws-load-balancers/main.k b/svc-require-encryption-aws-load-balancers/main.k
new file mode 100644
index 00000000..40be5150
--- /dev/null
+++ b/svc-require-encryption-aws-load-balancers/main.k
@@ -0,0 +1,15 @@
+"""Services of type LoadBalancer when deployed inside AWS have support for
+transport encryption if it is enabled via an annotation. This policy requires
+that Services of type LoadBalancer contain the annotation
+service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
+"""
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Service":
+        assert item.metadata?.annotation?["service.beta.kubernetes.io/aws-load-balancer-ssl-cert"] if item?.spec?.type == "LoadBalancer", "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert."
+    item
+}
+
+# Validate All resource
+items = [validate(i) for i in option("items")]
diff --git a/svc-require-encryption-aws-loadbalancers/README.md b/svc-require-encryption-aws-loadbalancers/README.md
index fc88ceaf..62886e5e 100644
--- a/svc-require-encryption-aws-loadbalancers/README.md
+++ b/svc-require-encryption-aws-loadbalancers/README.md
@@ -1,5 +1,7 @@
 ## Introduction
 
+`svc-require-encryption-aws-loadbalancers` is a kcl validation package
+
 ## Resource
 
-The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/svc-require-encryption-aws-loadbalancers)
+The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/svc-require-encryption-aws-loadbalancers)
diff --git a/svc-require-encryption-aws-loadbalancers/kcl.mod b/svc-require-encryption-aws-loadbalancers/kcl.mod
index 357fb4af..ae791750 100644
--- a/svc-require-encryption-aws-loadbalancers/kcl.mod
+++ b/svc-require-encryption-aws-loadbalancers/kcl.mod
@@ -1,4 +1,4 @@
 [package]
 name = "svc-require-encryption-aws-loadbalancers"
-version = "0.1.0"
+version = "0.1.1"
 description = "`svc-require-encryption-aws-loadbalancers` is a kcl validation package"