Skip to content

Commit

Permalink
Merge pull request #171 from nirmata/NDEV-18111
Browse files Browse the repository at this point in the history 
NDEV-18111: add mutate policy for adding-capabilities-strict rule
  • Loading branch information
@anusha94
anusha94 authored Oct 14, 2024
2 parents 360fdad + 819700a commit 53231d7
Showing 1 changed file with 111 additions and 12 deletions.
123 changes: 111 additions & 12 deletions ...urity/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,9 @@ spec:
value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
patchesJson6902: |-
- op: add
path: /spec/template/spec/containers/{{elementIndex}}/securityContext
path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/drop
value:
capabilities:
drop:
- ALL
- ALL
- list: request.object.spec.template.spec.initContainers[]
order: Descending
preconditions:
Expand All @@ -43,11 +41,9 @@ spec:
value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
patchesJson6902: |-
- op: add
path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext
path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/drop
value:
capabilities:
drop:
- ALL
- ALL
- list: request.object.spec.template.spec.ephemeralContainers[]
order: Descending
preconditions:
Expand All @@ -57,8 +53,111 @@ spec:
value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
patchesJson6902: |-
- op: add
path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext
path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/drop
value:
- ALL
- name: restrict-adding-capabilities-other-than-net-bind-service
match:
resources:
kinds:
- Deployment
- StatefulSet
- Job
- DaemonSet
mutate:
foreach:
- list: request.object.spec.template.spec.containers[]
order: Descending
preconditions:
all:
- key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
operator: NotEquals
value: []
- key: NET_BIND_RAW
operator: AnyNotIn
value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
patchesJson6902: |-
- op: remove
path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add
- list: request.object.spec.template.spec.containers[]
order: Descending
preconditions:
all:
- key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
operator: NotEquals
value: []
- key: NET_BIND_RAW
operator: In
value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
patchesJson6902: |-
- op: remove
path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add
- op: add
path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add
value:
- NET_BIND_RAW
- list: request.object.spec.template.spec.initContainers[]
order: Descending
preconditions:
all:
- key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
operator: NotEquals
value: []
- key: NET_BIND_RAW
operator: AnyNotIn
value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
patchesJson6902: |-
- op: remove
path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add
- list: request.object.spec.template.spec.initContainers[]
order: Descending
preconditions:
all:
- key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
operator: NotEquals
value: []
- key: NET_BIND_RAW
operator: In
value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
patchesJson6902: |-
- op: remove
path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add
- op: add
path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add
value:
- NET_BIND_RAW
- list: request.object.spec.template.spec.ephemeralContainers[]
order: Descending
preconditions:
all:
- key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
operator: NotEquals
value: []
- key: NET_BIND_RAW
operator: AnyNotIn
value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
patchesJson6902: |-
- op: remove
path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add
- list: request.object.spec.template.spec.ephemeralContainers[]
order: Descending
preconditions:
all:
- key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
operator: NotEquals
value: []
- key: NET_BIND_RAW
operator: In
value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
patchesJson6902: |-
- op: remove
path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add
- op: add
path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add
value:
capabilities:
drop:
- ALL
- NET_BIND_RAW

0 comments on commit 53231d7

Please sign in to comment.