Skip to content

Commit

Permalink
Merge pull request #34 from kcl-lang/psp-read-only-root-filesystem
Browse files Browse the repository at this point in the history
feat: psp-read-only-root-filesystem module
  • Loading branch information
Peefy authored Oct 31, 2023
2 parents 3422d83 + 1744734 commit 8dd09fb
Show file tree
Hide file tree
Showing 7 changed files with 57 additions and 3 deletions.
2 changes: 1 addition & 1 deletion container_profile/kcl.mod
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[package]
name = "container_profile"
version = "0.1.0"
version = "0.1.1"
description = "`container_profile` is a kcl package to get pod container profile"

7 changes: 7 additions & 0 deletions psp-read-only-root-filesystem/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`psp-read-only-root-filesystem` is a kcl PSP validation package.

## Resource

Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/psp-read-only-root-filesystem)
5 changes: 5 additions & 0 deletions psp-read-only-root-filesystem/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "psp-read-only-root-filesystem"
version = "0.1.0"
description = "`psp-read-only-root-filesystem` is a kcl validation package"

Empty file.
42 changes: 42 additions & 0 deletions psp-read-only-root-filesystem/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
"""Requires the use of a read-only root file system by pod containers.
Corresponds to the `readOnlyRootFilesystem` field in a
PodSecurityPolicy. For more information, see
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
"""

schema Params:
exemptImages?: [str]

params: Params = option("params")
exemptImages: [str] = params?.exemptImages or []

is_exempt = lambda image: str -> bool {
result = False
if exemptImages:
result = any exempt_image in exemptImages {
(image.startswith(exempt_image.removesuffix("*")) if exempt_image.endswith("*") else exempt_image == image)
}
result
}

violation = lambda container: {str:} {
msg = "only read-only root filesystem container is allowed: ${container.name}"
assert container?.securityContext?.readOnlyRootFilesystem is True, msg
msg
}

# Define the validation function
validate = lambda item: {str:} {
containers: [{str:}] = []
if item.kind == "Pod":
containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])
elif item.kind == "Deployment":
containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or [])
if containers:
containers = [c for c in containers if not is_exempt(c.image)]
container_list_disallow = [c.name for c in containers if not violation(c)]
# Return the resource
item
}
# Validate All resource
items = [validate(i) for i in option("items")]
2 changes: 1 addition & 1 deletion psp-seccomp/kcl.mod
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[package]
name = "psp-seccomp"
version = "0.1.0"
version = "0.1.1"
description = "`psp-seccomp` is a kcl validation package"

2 changes: 1 addition & 1 deletion psp-volumes/kcl.mod
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[package]
name = "psp-volumes"
version = "0.1.2"
version = "0.1.3"
description = "`psp-volumes` is a kcl validation package"

0 comments on commit 8dd09fb

Please sign in to comment.