Merge pull request #39 from kcl-lang/psp-host-namespaces

feat: add psp-host-namespaces modules
kcl-lang · Oct 31, 2023 · 71d20f2 · 71d20f2
2 parents 4771ea0 + b4d0101
commit 71d20f2
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 0 deletions.
diff --git a/psp-host-namespaces/README.md b/psp-host-namespaces/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`psp-host-namespaces` is a kcl PSP validation package. 
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/psp-host-namespaces)
diff --git a/psp-host-namespaces/kcl.mod b/psp-host-namespaces/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "psp-host-namespaces"
+version = "0.1.0"
+description = "`psp-host-namespaces` is a kcl validation package"
+
diff --git a/psp-host-namespaces/kcl.mod.lock b/psp-host-namespaces/kcl.mod.lock
diff --git a/psp-host-namespaces/main.k b/psp-host-namespaces/main.k
@@ -0,0 +1,19 @@
+"""Disallows sharing of host PID and IPC namespaces by pod containers.
+Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy.
+For more information, see
+https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
+"""
+
+# Define the validation function
+validate = lambda item: {str:} {
+    n = ""
+    if item.kind == "Pod":
+        n = item.spec.hostPID or item.spec.hostIPC
+    elif item.kind == "Deployment":
+        n = item.spec.template.spec.hostPID or item.spec.template.spec.hostIPC
+    assert not n, "Sharing the host namespace is not allowed: {}".format(item.metadata.name)
+    # Return the resource
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]