kcl-lang · Peefy · Dec 5, 2023 · Dec 5, 2023
diff --git a/add-privileged-existing-namespaces/README.md b/add-privileged-existing-namespaces/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`add-privileged-existing-namespaces` is a KCL mutation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/add-privileged-existing-namespaces)
diff --git a/add-privileged-existing-namespaces/kcl.mod b/add-privileged-existing-namespaces/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "add-privileged-existing-namespaces"
+version = "0.1.0"
+description = "`add-privileged-existing-namespaces` is a KCL mutation module"
diff --git a/add-privileged-existing-namespaces/main.k b/add-privileged-existing-namespaces/main.k
@@ -0,0 +1,8 @@
+params = option("params") or {}
+names: [str] = params.names or []
+items = [item | {
+    if item.kind == "Namespace" and item.metadata.name != "kube-system":
+        metadata.labels: {
+            "pod-security.kubernetes.io/enforce": "privileged"
+        }
+} for item in option("items") or []]
diff --git a/deny-privileged-profile/README.md b/deny-privileged-profile/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`deny-privileged-profile` is a KCL validation package
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/deny-privileged-profile)
diff --git a/deny-privileged-profile/kcl.mod b/deny-privileged-profile/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "deny-privileged-profile"
+version = "0.1.1"
+description = "`deny-privileged-profile` is a KCL validation package"
diff --git a/deny-privileged-profile/main.k b/deny-privileged-profile/main.k
@@ -0,0 +1,10 @@
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Namespace":
+        assert item.metadata?.labels?["pod-security.kubernetes.io/enforce"] != "privileged", "Only cluster-admins may create Namespaces that allow setting the privileged level."
+    item
+}
+
+# Validate All resource
+items = [validate(i) for i in option("items") or []]
diff --git a/psp-restrict-adding-capabilities/README.md b/psp-restrict-adding-capabilities/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`psp-restrict-adding-capabilities` is a KCL PSP validation package. 
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/psp-restrict-adding-capabilities)
diff --git a/psp-restrict-adding-capabilities/kcl.mod b/psp-restrict-adding-capabilities/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "psp-restrict-adding-capabilities"
+version = "0.0.1"
+description = "`psp-restrict-adding-capabilities` is a kcl validation package"
+
diff --git a/psp-restrict-adding-capabilities/kcl.mod.lock b/psp-restrict-adding-capabilities/kcl.mod.lock
@@ -0,0 +1 @@
+·
diff --git a/psp-restrict-adding-capabilities/main.k b/psp-restrict-adding-capabilities/main.k
@@ -0,0 +1,19 @@
+schema Params:
+    capabilities: [str] = ["NET_BIND_SERVICE", "CAP_CHOWN"]
+
+params: Params = option("params") or Params {}
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.phemeralContainers or []) + (item.spec.initContainers or [])
+        assert all c in containers {
+            all c in c.securityContext.capabilities.add {
+                c not in params.capabilities
+            }
+        }, "Any capabilities added other than ${params.capabilities} are disallowed."
+    # Return the resource
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]
diff --git a/svc-require-encryption-aws-load-balancers/README.md b/svc-require-encryption-aws-load-balancers/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`svc-require-encryption-aws-load-balancers` is a KCL validation package
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/svc-require-encryption-aws-load-balancers)
diff --git a/svc-require-encryption-aws-load-balancers/kcl.mod b/svc-require-encryption-aws-load-balancers/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "svc-require-encryption-aws-load-balancers"
+version = "0.1.1"
+description = "`svc-require-encryption-aws-load-balancers` is a KCL validation package"
diff --git a/svc-require-encryption-aws-load-balancers/main.k b/svc-require-encryption-aws-load-balancers/main.k
@@ -0,0 +1,15 @@
+"""Services of type LoadBalancer when deployed inside AWS have support for
+transport encryption if it is enabled via an annotation. This policy requires
+that Services of type LoadBalancer contain the annotation
+service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
+"""
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Service":
+        assert item.metadata?.annotation?["service.beta.kubernetes.io/aws-load-balancer-ssl-cert"] if item?.spec?.type == "LoadBalancer", "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert."
+    item
+}
+
+# Validate All resource
+items = [validate(i) for i in option("items")]
diff --git a/svc-require-encryption-aws-loadbalancers/README.md b/svc-require-encryption-aws-loadbalancers/README.md
@@ -1,5 +1,7 @@
 ## Introduction
 
+`svc-require-encryption-aws-loadbalancers` is a kcl validation package
+
 ## Resource
 
-The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/svc-require-encryption-aws-loadbalancers)
+The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/svc-require-encryption-aws-loadbalancers)
diff --git a/svc-require-encryption-aws-loadbalancers/kcl.mod b/svc-require-encryption-aws-loadbalancers/kcl.mod
@@ -1,4 +1,4 @@
 [package]
 name = "svc-require-encryption-aws-loadbalancers"
-version = "0.1.0"
+version = "0.1.1"
 description = "`svc-require-encryption-aws-loadbalancers` is a kcl validation package"