kcl-lang · Peefy · Oct 31, 2023 · Oct 31, 2023
diff --git a/container_profile/kcl.mod b/container_profile/kcl.mod
@@ -1,5 +1,5 @@
 [package]
 name = "container_profile"
-version = "0.1.0"
+version = "0.1.1"
 description = "`container_profile` is a kcl package to get pod container profile"
 
diff --git a/psp-read-only-root-filesystem/README.md b/psp-read-only-root-filesystem/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`psp-read-only-root-filesystem` is a kcl PSP validation package. 
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/psp-read-only-root-filesystem)
diff --git a/psp-read-only-root-filesystem/kcl.mod b/psp-read-only-root-filesystem/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "psp-read-only-root-filesystem"
+version = "0.1.0"
+description = "`psp-read-only-root-filesystem` is a kcl validation package"
+
diff --git a/psp-read-only-root-filesystem/kcl.mod.lock b/psp-read-only-root-filesystem/kcl.mod.lock
diff --git a/psp-read-only-root-filesystem/main.k b/psp-read-only-root-filesystem/main.k
@@ -0,0 +1,42 @@
+"""Requires the use of a read-only root file system by pod containers.
+Corresponds to the `readOnlyRootFilesystem` field in a
+PodSecurityPolicy. For more information, see
+https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+"""
+
+schema Params:
+    exemptImages?: [str]
+
+params: Params = option("params")
+exemptImages: [str] = params?.exemptImages or []
+
+is_exempt = lambda image: str -> bool {
+    result = False
+    if exemptImages:
+        result = any exempt_image in exemptImages {
+            (image.startswith(exempt_image.removesuffix("*")) if exempt_image.endswith("*") else exempt_image == image)
+        }
+    result
+}
+
+violation = lambda container: {str:} {
+    msg = "only read-only root filesystem container is allowed: ${container.name}"
+    assert container?.securityContext?.readOnlyRootFilesystem is True, msg
+    msg
+}
+
+# Define the validation function
+validate = lambda item: {str:} {
+    containers: [{str:}] = []
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or [])
+    if containers:
+        containers = [c for c in containers if not is_exempt(c.image)]
+        container_list_disallow = [c.name for c in containers if not violation(c)]
+    # Return the resource
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]
diff --git a/psp-seccomp/kcl.mod b/psp-seccomp/kcl.mod
@@ -1,5 +1,5 @@
 [package]
 name = "psp-seccomp"
-version = "0.1.0"
+version = "0.1.1"
 description = "`psp-seccomp` is a kcl validation package"
 
diff --git a/psp-volumes/kcl.mod b/psp-volumes/kcl.mod
@@ -1,5 +1,5 @@
 [package]
 name = "psp-volumes"
-version = "0.1.2"
+version = "0.1.3"
 description = "`psp-volumes` is a kcl validation package"