-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #42 from kcl-lang/psp-forbidden-sysctls
feat: add psp-forbidden-sysctls modules
- Loading branch information
Showing
4 changed files
with
51 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| ## Introduction | ||
|
|
||
| `psp-forbidden-sysctls` is a kcl PSP validation package. | ||
|
|
||
| ## Resource | ||
|
|
||
| Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/psp-forbidden-sysctls) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| [package] | ||
| name = "psp-forbidden-sysctls" | ||
| version = "0.1.0" | ||
| description = "`psp-forbidden-sysctls` is a kcl validation package" | ||
|
|
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| """Controls the `sysctl` profile used by containers. Corresponds to the | ||
| `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. | ||
| When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. | ||
| The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. | ||
| For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | ||
| """ | ||
|
|
||
| schema Params: | ||
| allowedSysctls?: [str] | ||
| forbiddenSysctls?: [str] | ||
|
|
||
| params: Params = option("params") | ||
| allowedSysctls: [str] = params?.allowedSysctls or [] | ||
| forbiddenSysctls: [str] = params?.forbiddenSysctls or [] | ||
| forbiddenAll = any sysctl in forbiddenSysctls { | ||
| sysctl == "*" | ||
| } | ||
| allowAll = any sysctl in allowedSysctls { | ||
| sysctl == "*" | ||
| } | ||
|
|
||
| # Define the validation function | ||
| validate = lambda item: {str:} { | ||
| if item.kind == "Pod": | ||
| name = item.metadata.name | ||
| sysctl_names = [sysctl.name for sysctl in item.spec.securityContext.sysctls] | ||
| if any sysctl in sysctl_names { | ||
| sysctl in forbiddenSysctls | ||
| } or forbiddenAll: | ||
| assert False, "The sysctl {} is not allowed, pod: {}. Forbidden sysctls: {}".format(sysctl_names, name, forbiddenSysctls) | ||
| if not (all sysctl in sysctl_names { | ||
| sysctl in allowedSysctls | ||
| } or allowAll): | ||
| assert False, "The sysctl {} is not explicitly allowed, pod: {}. Allowed sysctls: {}".format(sysctl_names, name, allowedSysctls) | ||
| # Return the resource | ||
| item | ||
| } | ||
| # Validate All resource | ||
| items = [validate(i) for i in option("items")] |