diff --git a/container_profile/kcl.mod b/container_profile/kcl.mod index 9237adeb..2b9aeb7a 100644 --- a/container_profile/kcl.mod +++ b/container_profile/kcl.mod @@ -1,5 +1,5 @@ [package] name = "container_profile" -version = "0.1.0" +version = "0.1.1" description = "`container_profile` is a kcl package to get pod container profile" diff --git a/psp-read-only-root-filesystem/README.md b/psp-read-only-root-filesystem/README.md new file mode 100644 index 00000000..4ee32818 --- /dev/null +++ b/psp-read-only-root-filesystem/README.md @@ -0,0 +1,7 @@ +## Introduction + +`psp-read-only-root-filesystem` is a kcl PSP validation package. + +## Resource + +Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/psp-read-only-root-filesystem) diff --git a/psp-read-only-root-filesystem/kcl.mod b/psp-read-only-root-filesystem/kcl.mod new file mode 100644 index 00000000..b776056b --- /dev/null +++ b/psp-read-only-root-filesystem/kcl.mod @@ -0,0 +1,5 @@ +[package] +name = "psp-read-only-root-filesystem" +version = "0.1.0" +description = "`psp-read-only-root-filesystem` is a kcl validation package" + diff --git a/psp-read-only-root-filesystem/kcl.mod.lock b/psp-read-only-root-filesystem/kcl.mod.lock new file mode 100644 index 00000000..e69de29b diff --git a/psp-read-only-root-filesystem/main.k b/psp-read-only-root-filesystem/main.k new file mode 100644 index 00000000..7df29add --- /dev/null +++ b/psp-read-only-root-filesystem/main.k @@ -0,0 +1,42 @@ +"""Requires the use of a read-only root file system by pod containers. +Corresponds to the `readOnlyRootFilesystem` field in a +PodSecurityPolicy. For more information, see +https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +""" + +schema Params: + exemptImages?: [str] + +params: Params = option("params") +exemptImages: [str] = params?.exemptImages or [] + +is_exempt = lambda image: str -> bool { + result = False + if exemptImages: + result = any exempt_image in exemptImages { + (image.startswith(exempt_image.removesuffix("*")) if exempt_image.endswith("*") else exempt_image == image) + } + result +} + +violation = lambda container: {str:} { + msg = "only read-only root filesystem container is allowed: ${container.name}" + assert container?.securityContext?.readOnlyRootFilesystem is True, msg + msg +} + +# Define the validation function +validate = lambda item: {str:} { + containers: [{str:}] = [] + if item.kind == "Pod": + containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or []) + elif item.kind == "Deployment": + containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or []) + if containers: + containers = [c for c in containers if not is_exempt(c.image)] + container_list_disallow = [c.name for c in containers if not violation(c)] + # Return the resource + item +} +# Validate All resource +items = [validate(i) for i in option("items")] diff --git a/psp-seccomp/kcl.mod b/psp-seccomp/kcl.mod index 168a9ed9..23968ebc 100644 --- a/psp-seccomp/kcl.mod +++ b/psp-seccomp/kcl.mod @@ -1,5 +1,5 @@ [package] name = "psp-seccomp" -version = "0.1.0" +version = "0.1.1" description = "`psp-seccomp` is a kcl validation package" diff --git a/psp-volumes/kcl.mod b/psp-volumes/kcl.mod index 3a605733..dbf12c6a 100644 --- a/psp-volumes/kcl.mod +++ b/psp-volumes/kcl.mod @@ -1,5 +1,5 @@ [package] name = "psp-volumes" -version = "0.1.2" +version = "0.1.3" description = "`psp-volumes` is a kcl validation package"