diff --git a/examples/container-deny-added-caps/template.yaml b/examples/container-deny-added-caps/template.yaml index 1e020faa..38a38106 100755 --- a/examples/container-deny-added-caps/template.yaml +++ b/examples/container-deny-added-caps/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,74 +49,79 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] - |- package lib.security - dropped_capability(container, cap) { + import future.keywords.if + + dropped_capability(container, cap) if { lower(container.securityContext.capabilities.drop[_]) == lower(cap) } - dropped_capability(psp, cap) { + dropped_capability(psp, cap) if { lower(psp.spec.requiredDropCapabilities[_]) == lower(cap) } - added_capability(container, cap) { + added_capability(container, cap) if { lower(container.securityContext.capabilities.add[_]) == lower(cap) } - added_capability(psp, cap) { + added_capability(psp, cap) if { lower(psp.spec.allowedCapabilities[_]) == lower(cap) } - added_capability(psp, cap) { + added_capability(psp, cap) if { lower(psp.spec.defaultAddCapabilities[_]) == lower(cap) } rego: |- diff --git a/examples/container-deny-escalation/template.yaml b/examples/container-deny-escalation/template.yaml index 9c85f1dd..bda188d8 100755 --- a/examples/container-deny-escalation/template.yaml +++ b/examples/container-deny-escalation/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,54 +49,57 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] rego: |- package container_deny_escalation diff --git a/examples/container-deny-latest-tag/template.yaml b/examples/container-deny-latest-tag/template.yaml index f536b130..db49bbf9 100644 --- a/examples/container-deny-latest-tag/template.yaml +++ b/examples/container-deny-latest-tag/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,54 +49,57 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] rego: |- package container_deny_latest_tag diff --git a/examples/container-deny-privileged-if-tenant/template.yaml b/examples/container-deny-privileged-if-tenant/template.yaml index d8a443c2..a372b110 100755 --- a/examples/container-deny-privileged-if-tenant/template.yaml +++ b/examples/container-deny-privileged-if-tenant/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,74 +49,79 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] - |- package lib.security - dropped_capability(container, cap) { + import future.keywords.if + + dropped_capability(container, cap) if { lower(container.securityContext.capabilities.drop[_]) == lower(cap) } - dropped_capability(psp, cap) { + dropped_capability(psp, cap) if { lower(psp.spec.requiredDropCapabilities[_]) == lower(cap) } - added_capability(container, cap) { + added_capability(container, cap) if { lower(container.securityContext.capabilities.add[_]) == lower(cap) } - added_capability(psp, cap) { + added_capability(psp, cap) if { lower(psp.spec.allowedCapabilities[_]) == lower(cap) } - added_capability(psp, cap) { + added_capability(psp, cap) if { lower(psp.spec.defaultAddCapabilities[_]) == lower(cap) } rego: |- diff --git a/examples/container-deny-privileged/template.yaml b/examples/container-deny-privileged/template.yaml index 4bce37db..0da15df6 100755 --- a/examples/container-deny-privileged/template.yaml +++ b/examples/container-deny-privileged/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,74 +49,79 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] - |- package lib.security - dropped_capability(container, cap) { + import future.keywords.if + + dropped_capability(container, cap) if { lower(container.securityContext.capabilities.drop[_]) == lower(cap) } - dropped_capability(psp, cap) { + dropped_capability(psp, cap) if { lower(psp.spec.requiredDropCapabilities[_]) == lower(cap) } - added_capability(container, cap) { + added_capability(container, cap) if { lower(container.securityContext.capabilities.add[_]) == lower(cap) } - added_capability(psp, cap) { + added_capability(psp, cap) if { lower(psp.spec.allowedCapabilities[_]) == lower(cap) } - added_capability(psp, cap) { + added_capability(psp, cap) if { lower(psp.spec.defaultAddCapabilities[_]) == lower(cap) } rego: |- diff --git a/examples/container-deny-without-resource-constraints/template.yaml b/examples/container-deny-without-resource-constraints/template.yaml index 2c280cd0..66d0b407 100644 --- a/examples/container-deny-without-resource-constraints/template.yaml +++ b/examples/container-deny-without-resource-constraints/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,54 +49,57 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] rego: |- package container_deny_without_resource_constraints diff --git a/examples/lib/core.rego b/examples/lib/core.rego index fa8ac7e5..b61c5cb1 100644 --- a/examples/lib/core.rego +++ b/examples/lib/core.rego @@ -1,17 +1,19 @@ package lib.core +import future.keywords.if + default is_gatekeeper := false -is_gatekeeper { +is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } -resource := input.review.object { +resource := input.review.object if { is_gatekeeper } -resource := input { +resource := input if { not is_gatekeeper } @@ -34,24 +36,24 @@ annotations := resource.metadata.annotations gv := split(apiVersion, "/") -group := gv[0] { +group := gv[0] if { contains(apiVersion, "/") } -group := "core" { +group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] -has_field(obj, field) { +has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } -missing_field(obj, field) { +missing_field(obj, field) if { obj[field] == "" } -missing_field(obj, field) { +missing_field(obj, field) if { not has_field(obj, field) } diff --git a/examples/lib/core_test.rego b/examples/lib/core_test.rego index f90081a2..5e49b8ae 100644 --- a/examples/lib/core_test.rego +++ b/examples/lib/core_test.rego @@ -1,17 +1,19 @@ package lib.core -test_not_gk { +import future.keywords.if + +test_not_gk if { not is_gatekeeper with input as {"kind": "test"} } -test_is_gk { +test_is_gk if { is_gatekeeper with input as {"review": {"object": {"kind": "test"}}} } -test_has_field_pos { +test_has_field_pos if { has_field({"kind": "test"}, "kind") } -test_missing_field { +test_missing_field if { not has_field({"kind": "test"}, "abc") } diff --git a/examples/lib/pods.rego b/examples/lib/pods.rego index 5f67b486..ae410473 100644 --- a/examples/lib/pods.rego +++ b/examples/lib/pods.rego @@ -1,26 +1,29 @@ package lib.pods +import future.keywords.contains +import future.keywords.if + import data.lib.core default pod := false -pod := core.resource.spec.template { +pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } -pod := core.resource { +pod := core.resource if { lower(core.kind) == "pod" } -pod := core.resource.spec.jobTemplate.spec.template { +pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } -containers[container] { +containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } -volumes[pod.spec.volumes[_]] +volumes contains pod.spec.volumes[_] diff --git a/examples/lib/pods_test.rego b/examples/lib/pods_test.rego index fca21ac9..88f0bb33 100644 --- a/examples/lib/pods_test.rego +++ b/examples/lib/pods_test.rego @@ -1,6 +1,8 @@ package lib.pods -test_input_as_other { +import future.keywords.if + +test_input_as_other if { resource := pod with input as { "kind": "Other", "spec": {"containers": [{}]}, @@ -9,7 +11,7 @@ test_input_as_other { not resource } -test_input_as_pod { +test_input_as_pod if { resource := pod with input as { "kind": "Pod", "spec": {"containers": [{}]}, @@ -18,7 +20,7 @@ test_input_as_pod { resource.spec.containers } -test_input_as_deployment { +test_input_as_deployment if { resource := pod with input as { "kind": "Deployment", "spec": {"template": {"spec": {"containers": [{}]}}}, @@ -27,7 +29,7 @@ test_input_as_deployment { resource.spec.containers } -test_input_as_cronjob { +test_input_as_cronjob if { resource := pod with input as { "kind": "CronJob", "spec": {"jobTemplate": {"spec": {"template": {"spec": {"containers": [{}]}}}}}, @@ -36,7 +38,7 @@ test_input_as_cronjob { resource.spec.containers } -test_containers { +test_containers if { podcontainers := containers with input as { "kind": "Pod", "spec": {"containers": [{"name": "container"}]}, @@ -45,7 +47,7 @@ test_containers { podcontainers[_].name == "container" } -test_volumes { +test_volumes if { podvolumes := volumes with input as { "kind": "Pod", "spec": {"volumes": [{"name": "volume"}]}, diff --git a/examples/lib/psp.rego b/examples/lib/psp.rego index d020cde6..318af7ab 100644 --- a/examples/lib/psp.rego +++ b/examples/lib/psp.rego @@ -1,11 +1,15 @@ package lib.psps +import future.keywords.contains +import future.keywords.if +import future.keywords.in + import data.lib.core # PodSecurityPolicies are not namespace scoped, so the default PSPs included # in managed Kubernetes offerings cannot be excluded using the normal # methods in Gatekeeper. -is_exception { +is_exception if { exceptions := { "gce.privileged", # GKE "gce.persistent-volume-binder", # GKE @@ -16,10 +20,10 @@ is_exception { "gce.fluentd-gcp", # GKE } - core.name == exceptions[_] + core.name in exceptions } -psps[psp] { +psps contains psp if { lower(core.kind) = "podsecuritypolicy" not is_exception psp = core.resource diff --git a/examples/lib/psp_test.rego b/examples/lib/psp_test.rego index 32e3e0ae..4ca1e8d6 100644 --- a/examples/lib/psp_test.rego +++ b/examples/lib/psp_test.rego @@ -1,9 +1,11 @@ package lib.psps -test_exception_pos { +import future.keywords.if + +test_exception_pos if { is_exception with input as {"metadata": {"name": "gce.privileged"}} } -test_exception_neg { +test_exception_neg if { not is_exception with input as {"metadata": {"name": "test"}} } diff --git a/examples/lib/rbac.rego b/examples/lib/rbac.rego index 3a9fdb96..2104d34a 100644 --- a/examples/lib/rbac.rego +++ b/examples/lib/rbac.rego @@ -1,23 +1,24 @@ package lib.rbac +import future.keywords.if import future.keywords.in import data.lib.core -rule_has_verb(rule, verb) { +rule_has_verb(rule, verb) if { verbs := ["*", lower(verb)] verbs[_] == lower(rule.verbs[_]) } -rule_has_resource_type(rule, type) { +rule_has_resource_type(rule, type) if { types := ["*", lower(type)] types[_] == lower(rule.resources[_]) } -rule_has_resource_name(rule, name) { +rule_has_resource_name(rule, name) if { name in rule.resourceNames } -rule_has_resource_name(rule, _) { +rule_has_resource_name(rule, _) if { core.missing_field(rule, "resourceNames") } diff --git a/examples/lib/rbac_test.rego b/examples/lib/rbac_test.rego index d03e4d94..63c1dce0 100644 --- a/examples/lib/rbac_test.rego +++ b/examples/lib/rbac_test.rego @@ -1,37 +1,39 @@ package lib.rbac -test_rule_has_verb_with_use { +import future.keywords.if + +test_rule_has_verb_with_use if { rule_has_verb({"verbs": ["use"]}, "use") } -test_rule_has_verb_with_asterisk { +test_rule_has_verb_with_asterisk if { rule_has_verb({"verbs": ["*"]}, "use") } -test_rule_has_verb_with_list { +test_rule_has_verb_with_list if { not rule_has_verb({"verbs": ["list"]}, "use") } -test_rule_has_resource_type_with_pod { +test_rule_has_resource_type_with_pod if { rule_has_resource_type({"resources": ["Pod"]}, "pod") } -test_rule_has_resource_type_with_resourceall { +test_rule_has_resource_type_with_resourceall if { rule_has_resource_type({"resources": ["*"]}, "pod") } -test_rule_has_resource_type_with_container { +test_rule_has_resource_type_with_container if { not rule_has_resource_type({"resources": ["Container"]}, "pod") } -test_rule_has_resource_name_match { +test_rule_has_resource_name_match if { rule_has_resource_name({"resourceNames": ["test"]}, "test") } -test_rule_has_resource_name_no_match { +test_rule_has_resource_name_no_match if { not rule_has_resource_name({"resourceNames": ["test"]}, "wrong") } -test_rule_has_resource_name_null { +test_rule_has_resource_name_null if { rule_has_resource_name({}, "wrong") } diff --git a/examples/lib/security.rego b/examples/lib/security.rego index 14e1b26f..d6fcf799 100644 --- a/examples/lib/security.rego +++ b/examples/lib/security.rego @@ -1,21 +1,23 @@ package lib.security -dropped_capability(container, cap) { +import future.keywords.if + +dropped_capability(container, cap) if { lower(container.securityContext.capabilities.drop[_]) == lower(cap) } -dropped_capability(psp, cap) { +dropped_capability(psp, cap) if { lower(psp.spec.requiredDropCapabilities[_]) == lower(cap) } -added_capability(container, cap) { +added_capability(container, cap) if { lower(container.securityContext.capabilities.add[_]) == lower(cap) } -added_capability(psp, cap) { +added_capability(psp, cap) if { lower(psp.spec.allowedCapabilities[_]) == lower(cap) } -added_capability(psp, cap) { +added_capability(psp, cap) if { lower(psp.spec.defaultAddCapabilities[_]) == lower(cap) } diff --git a/examples/lib/security_test.rego b/examples/lib/security_test.rego index b88cf1e2..2138c91f 100644 --- a/examples/lib/security_test.rego +++ b/examples/lib/security_test.rego @@ -1,33 +1,35 @@ package lib.security -test_added_capabilities_container_match { +import future.keywords.if + +test_added_capabilities_container_match if { added_capability({"securityContext": {"capabilities": {"add": ["CAP_SYS_ADMIN"]}}}, "CAP_SYS_ADMIN") } -test_added_capabilities_container_nomatch { +test_added_capabilities_container_nomatch if { not added_capability({"securityContext": {"capabilities": {"add": ["CAP_SYS_ADMIN"]}}}, "test") } -test_added_capabilities_psp_match { +test_added_capabilities_psp_match if { added_capability({"spec": {"allowedCapabilities": ["CAP_SYS_ADMIN"]}}, "CAP_SYS_ADMIN") } -test_added_capabilities_psp_nomatch { +test_added_capabilities_psp_nomatch if { not added_capability({"spec": {"allowedCapabilities": ["CAP_SYS_ADMIN"]}}, "test") } -test_dropped_capabilities_container_match { +test_dropped_capabilities_container_match if { dropped_capability({"securityContext": {"capabilities": {"drop": ["CAP_SYS_ADMIN"]}}}, "CAP_SYS_ADMIN") } -test_dropped_capabilities_container_nomatch { +test_dropped_capabilities_container_nomatch if { not dropped_capability({"securityContext": {"capabilities": {"drop": ["CAP_SYS_ADMIN"]}}}, "test") } -test_dropped_capabilities_psp_match { +test_dropped_capabilities_psp_match if { dropped_capability({"spec": {"requiredDropCapabilities": ["CAP_SYS_ADMIN"]}}, "CAP_SYS_ADMIN") } -test_dropped_capabilities_psp_nomatch { +test_dropped_capabilities_psp_nomatch if { not dropped_capability({"spec": {"requiredDropCapabilities": ["CAP_SYS_ADMIN"]}}, "test") } diff --git a/examples/pod-deny-host-alias/template.yaml b/examples/pod-deny-host-alias/template.yaml index 5717f7f4..ebf27ffc 100755 --- a/examples/pod-deny-host-alias/template.yaml +++ b/examples/pod-deny-host-alias/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,54 +49,57 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] rego: |- package pod_deny_host_alias diff --git a/examples/pod-deny-host-ipc/template.yaml b/examples/pod-deny-host-ipc/template.yaml index 26167091..4a580384 100755 --- a/examples/pod-deny-host-ipc/template.yaml +++ b/examples/pod-deny-host-ipc/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,54 +49,57 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] rego: |- package pod_deny_host_ipc diff --git a/examples/pod-deny-host-network/template.yaml b/examples/pod-deny-host-network/template.yaml index e23eac74..177dc8e2 100755 --- a/examples/pod-deny-host-network/template.yaml +++ b/examples/pod-deny-host-network/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,54 +49,57 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] rego: |- package pod_deny_host_network diff --git a/examples/pod-deny-host-pid/template.yaml b/examples/pod-deny-host-pid/template.yaml index e27530dd..a55dc9cf 100755 --- a/examples/pod-deny-host-pid/template.yaml +++ b/examples/pod-deny-host-pid/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,54 +49,57 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] rego: |- package pod_deny_host_pid diff --git a/examples/pod-deny-without-runasnonroot/template.yaml b/examples/pod-deny-without-runasnonroot/template.yaml index a80f177a..5bee2ff6 100755 --- a/examples/pod-deny-without-runasnonroot/template.yaml +++ b/examples/pod-deny-without-runasnonroot/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,54 +49,57 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.pods + import future.keywords.contains + import future.keywords.if + import data.lib.core default pod := false - pod := core.resource.spec.template { + pod := core.resource.spec.template if { pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"] lower(core.kind) == pod_templates[_] } - pod := core.resource { + pod := core.resource if { lower(core.kind) == "pod" } - pod := core.resource.spec.jobTemplate.spec.template { + pod := core.resource.spec.jobTemplate.spec.template if { lower(core.kind) == "cronjob" } - containers[container] { + containers contains container if { keys := {"containers", "initContainers"} all_containers := [c | some k; keys[k]; c = pod.spec[k][_]] container := all_containers[_] } - volumes[pod.spec.volumes[_]] + volumes contains pod.spec.volumes[_] rego: |- package pod_deny_without_runasnonroot diff --git a/examples/psp-deny-added-caps/template.yaml b/examples/psp-deny-added-caps/template.yaml index 972018b2..e68fbb65 100755 --- a/examples/psp-deny-added-caps/template.yaml +++ b/examples/psp-deny-added-caps/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,33 +49,37 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.psps + import future.keywords.contains + import future.keywords.if + import future.keywords.in + import data.lib.core - is_exception { + is_exception if { exceptions := { "gce.privileged", # GKE "gce.persistent-volume-binder", # GKE @@ -84,10 +90,10 @@ spec: "gce.fluentd-gcp", # GKE } - core.name == exceptions[_] + core.name in exceptions } - psps[psp] { + psps contains psp if { lower(core.kind) = "podsecuritypolicy" not is_exception psp = core.resource @@ -95,23 +101,25 @@ spec: - |- package lib.security - dropped_capability(container, cap) { + import future.keywords.if + + dropped_capability(container, cap) if { lower(container.securityContext.capabilities.drop[_]) == lower(cap) } - dropped_capability(psp, cap) { + dropped_capability(psp, cap) if { lower(psp.spec.requiredDropCapabilities[_]) == lower(cap) } - added_capability(container, cap) { + added_capability(container, cap) if { lower(container.securityContext.capabilities.add[_]) == lower(cap) } - added_capability(psp, cap) { + added_capability(psp, cap) if { lower(psp.spec.allowedCapabilities[_]) == lower(cap) } - added_capability(psp, cap) { + added_capability(psp, cap) if { lower(psp.spec.defaultAddCapabilities[_]) == lower(cap) } rego: |- diff --git a/examples/psp-deny-escalation/template.yaml b/examples/psp-deny-escalation/template.yaml index 0f33086e..cf14d796 100755 --- a/examples/psp-deny-escalation/template.yaml +++ b/examples/psp-deny-escalation/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,33 +49,37 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.psps + import future.keywords.contains + import future.keywords.if + import future.keywords.in + import data.lib.core - is_exception { + is_exception if { exceptions := { "gce.privileged", # GKE "gce.persistent-volume-binder", # GKE @@ -84,10 +90,10 @@ spec: "gce.fluentd-gcp", # GKE } - core.name == exceptions[_] + core.name in exceptions } - psps[psp] { + psps contains psp if { lower(core.kind) = "podsecuritypolicy" not is_exception psp = core.resource diff --git a/examples/psp-deny-host-alias/template.yaml b/examples/psp-deny-host-alias/template.yaml index 997b4042..1e33d2c4 100755 --- a/examples/psp-deny-host-alias/template.yaml +++ b/examples/psp-deny-host-alias/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,33 +49,37 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.psps + import future.keywords.contains + import future.keywords.if + import future.keywords.in + import data.lib.core - is_exception { + is_exception if { exceptions := { "gce.privileged", # GKE "gce.persistent-volume-binder", # GKE @@ -84,10 +90,10 @@ spec: "gce.fluentd-gcp", # GKE } - core.name == exceptions[_] + core.name in exceptions } - psps[psp] { + psps contains psp if { lower(core.kind) = "podsecuritypolicy" not is_exception psp = core.resource diff --git a/examples/psp-deny-host-ipc/template.yaml b/examples/psp-deny-host-ipc/template.yaml index bb797b6a..4cc125c1 100755 --- a/examples/psp-deny-host-ipc/template.yaml +++ b/examples/psp-deny-host-ipc/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,33 +49,37 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.psps + import future.keywords.contains + import future.keywords.if + import future.keywords.in + import data.lib.core - is_exception { + is_exception if { exceptions := { "gce.privileged", # GKE "gce.persistent-volume-binder", # GKE @@ -84,10 +90,10 @@ spec: "gce.fluentd-gcp", # GKE } - core.name == exceptions[_] + core.name in exceptions } - psps[psp] { + psps contains psp if { lower(core.kind) = "podsecuritypolicy" not is_exception psp = core.resource diff --git a/examples/psp-deny-host-network/template.yaml b/examples/psp-deny-host-network/template.yaml index 20431e4a..b44cb175 100755 --- a/examples/psp-deny-host-network/template.yaml +++ b/examples/psp-deny-host-network/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,33 +49,37 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.psps + import future.keywords.contains + import future.keywords.if + import future.keywords.in + import data.lib.core - is_exception { + is_exception if { exceptions := { "gce.privileged", # GKE "gce.persistent-volume-binder", # GKE @@ -84,10 +90,10 @@ spec: "gce.fluentd-gcp", # GKE } - core.name == exceptions[_] + core.name in exceptions } - psps[psp] { + psps contains psp if { lower(core.kind) = "podsecuritypolicy" not is_exception psp = core.resource diff --git a/examples/psp-deny-host-pid/template.yaml b/examples/psp-deny-host-pid/template.yaml index 5fe2ab2d..65dc0470 100755 --- a/examples/psp-deny-host-pid/template.yaml +++ b/examples/psp-deny-host-pid/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,33 +49,37 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.psps + import future.keywords.contains + import future.keywords.if + import future.keywords.in + import data.lib.core - is_exception { + is_exception if { exceptions := { "gce.privileged", # GKE "gce.persistent-volume-binder", # GKE @@ -84,10 +90,10 @@ spec: "gce.fluentd-gcp", # GKE } - core.name == exceptions[_] + core.name in exceptions } - psps[psp] { + psps contains psp if { lower(core.kind) = "podsecuritypolicy" not is_exception psp = core.resource diff --git a/examples/psp-deny-privileged/template.yaml b/examples/psp-deny-privileged/template.yaml index e6c44a19..b171c996 100755 --- a/examples/psp-deny-privileged/template.yaml +++ b/examples/psp-deny-privileged/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,33 +49,37 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.psps + import future.keywords.contains + import future.keywords.if + import future.keywords.in + import data.lib.core - is_exception { + is_exception if { exceptions := { "gce.privileged", # GKE "gce.persistent-volume-binder", # GKE @@ -84,10 +90,10 @@ spec: "gce.fluentd-gcp", # GKE } - core.name == exceptions[_] + core.name in exceptions } - psps[psp] { + psps contains psp if { lower(core.kind) = "podsecuritypolicy" not is_exception psp = core.resource diff --git a/examples/required-labels/template.yaml b/examples/required-labels/template.yaml index 8fef5333..67800233 100755 --- a/examples/required-labels/template.yaml +++ b/examples/required-labels/template.yaml @@ -21,18 +21,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -55,25 +57,25 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } rego: |- diff --git a/examples/role-deny-use-privileged-psp/template.yaml b/examples/role-deny-use-privileged-psp/template.yaml index 28bd2326..f22f8f3c 100755 --- a/examples/role-deny-use-privileged-psp/template.yaml +++ b/examples/role-deny-use-privileged-psp/template.yaml @@ -13,18 +13,20 @@ spec: - |- package lib.core + import future.keywords.if + default is_gatekeeper := false - is_gatekeeper { + is_gatekeeper if { has_field(input, "review") has_field(input.review, "object") } - resource := input.review.object { + resource := input.review.object if { is_gatekeeper } - resource := input { + resource := input if { not is_gatekeeper } @@ -47,71 +49,74 @@ spec: gv := split(apiVersion, "/") - group := gv[0] { + group := gv[0] if { contains(apiVersion, "/") } - group := "core" { + group := "core" if { not contains(apiVersion, "/") } version := gv[count(gv) - 1] - has_field(obj, field) { + has_field(obj, field) if { not object.get(obj, field, "N_DEFINED") == "N_DEFINED" } - missing_field(obj, field) { + missing_field(obj, field) if { obj[field] == "" } - missing_field(obj, field) { + missing_field(obj, field) if { not has_field(obj, field) } - |- package lib.rbac + import future.keywords.if import future.keywords.in import data.lib.core - rule_has_verb(rule, verb) { + rule_has_verb(rule, verb) if { verbs := ["*", lower(verb)] verbs[_] == lower(rule.verbs[_]) } - rule_has_resource_type(rule, type) { + rule_has_resource_type(rule, type) if { types := ["*", lower(type)] types[_] == lower(rule.resources[_]) } - rule_has_resource_name(rule, name) { + rule_has_resource_name(rule, name) if { name in rule.resourceNames } - rule_has_resource_name(rule, _) { + rule_has_resource_name(rule, _) if { core.missing_field(rule, "resourceNames") } - |- package lib.security - dropped_capability(container, cap) { + import future.keywords.if + + dropped_capability(container, cap) if { lower(container.securityContext.capabilities.drop[_]) == lower(cap) } - dropped_capability(psp, cap) { + dropped_capability(psp, cap) if { lower(psp.spec.requiredDropCapabilities[_]) == lower(cap) } - added_capability(container, cap) { + added_capability(container, cap) if { lower(container.securityContext.capabilities.add[_]) == lower(cap) } - added_capability(psp, cap) { + added_capability(psp, cap) if { lower(psp.spec.allowedCapabilities[_]) == lower(cap) } - added_capability(psp, cap) { + added_capability(psp, cap) if { lower(psp.spec.defaultAddCapabilities[_]) == lower(cap) } rego: |-