convert check-node-for-cve-2022-0185

Signed-off-by: Chandan-DK <[email protected]>

other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml

@@ -1,22 +1,23 @@
-name: check-node-for-cve-2022-0185
+name: check-node-for-cve-2022-0185-cel
 version: 1.0.0
-displayName: Check Node for CVE-2022-0185
-createdAt: "2023-04-10T20:30:03.000Z"
+displayName: Check Node for CVE-2022-0185 in CEL expressions
 description: >-
   Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions.
 install: |-
   ```shell
-  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml
   ```
 keywords:
   - kyverno
   - Other
+  - CEL Expressions
 readme: |
   Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions.
   
   Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
 annotations:
-  kyverno/category: "Other"
-  kyverno/kubernetesVersion: "1.23"
+  kyverno/category: "Other in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Node"
-digest: ff64c6f2754226a75b84e88862af65ecc49ebad50cabd601687fd5770003f36a
+digest: e8f651f6cbdf95446e6ef90067ed806216d9f12323188bedb16958b071a7d85f
+createdAt: "2024-03-21T14:21:00Z"

other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml

@@ -3,12 +3,12 @@ kind: ClusterPolicy
 metadata:
   name: check-kernel
   annotations:
-    policies.kyverno.io/title: Check Node for CVE-2022-0185
-    policies.kyverno.io/category: Other
+    policies.kyverno.io/title: Check Node for CVE-2022-0185 in CEL expressions
+    policies.kyverno.io/category: Other in CEL 
     policies.kyverno.io/severity: high
-    kyverno.io/kyverno-version: 1.6.0
-    policies.kyverno.io/minversion: 1.6.0
-    kyverno.io/kubernetes-version: "1.23"
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
     policies.kyverno.io/subject: Node
     policies.kyverno.io/description: >-
       Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched.
@@ -17,7 +17,7 @@ metadata:
       This policy runs in background mode and flags an entry in the ClusterPolicyReport
       if any Node is reporting one of the affected kernel versions.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: kernel-validate
@@ -27,13 +27,8 @@ spec:
           kinds:
             - Node
     validate:
-      message: "Kernel is vulnerable to CVE-2022-0185."
-      deny:
-        conditions:
-          any:
-          - key: "{{request.object.status.nodeInfo.kernelVersion}}"
-            operator: Equals
-            value: "5.10.84-1"
-          - key: "{{request.object.status.nodeInfo.kernelVersion}}"
-            operator: Equals
-            value: "5.15.5-2"
+      cel:
+        expressions:
+          - expression: "!object.status.nodeInfo.kernelVersion in ['5.10.84-1', '5.15.5-2']"
+            message: "Kernel is vulnerable to CVE-2022-0185."
+