Simplify Disallow hostPorts in CEL expressions (#1108)

* Update artifacthub-pkg.yml

Signed-off-by: Lavish Pal <[email protected]>
(cherry picked from commit 8119432)
Signed-off-by: Lavish Pal <[email protected]>

* refactor: simplify disallow-host-ports CEL expressions using allContainers variable

Signed-off-by: Lavish Pal <[email protected]>

---------

Signed-off-by: Lavish Pal <[email protected]>
Co-authored-by: ShutingZhao <[email protected]>

Author: lavishpal

pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml

@@ -19,5 +19,5 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: b95cfe16e11be0b9507736687bd99b5ea78c455f8fc35194220326ea5ff3913c
-createdAt: "2023-12-03T00:22:34Z"
+digest: 80013655376b57e3f079c5c748013f6b2f04c16eb32f8c8bd0c6208e4a4f71db
+createdAt: "2025-10-22T00:05:34Z"

pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml

@@ -12,7 +12,7 @@ metadata:
     policies.kyverno.io/description: >-
       Access to host ports allows potential snooping of network traffic and should not be
       allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
-      field is unset or set to `0`. 
+      field is unset or set to `0`.
 spec:
   validationFailureAction: Audit
   background: true
@@ -28,26 +28,17 @@ spec:
             - UPDATE
       validate:
         cel:
+          variables:
+            - name: allContainers
+              expression: >-
+                object.spec.containers + 
+                object.spec.?initContainers.orValue([]) + 
+                object.spec.?ephemeralContainers.orValue([])
           expressions:
-            - expression: >- 
-                object.spec.containers.all(container, !has(container.ports) || 
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
+            - expression: >-
+                variables.allContainers.all(container, 
+                container.?ports.orValue([]).all(port, port.?hostPort.orValue(0) == 0))
               message: >-
-                Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort
-                must either be unset or set to `0`.
-
-            - expression: >- 
-                !has(object.spec.initContainers) || 
-                object.spec.initContainers.all(container, !has(container.ports) || 
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.initContainers[*].ports[*].hostPort
-                must either be unset or set to `0`.
-
-            - expression: >- 
-                !has(object.spec.ephemeralContainers) ||
-                object.spec.ephemeralContainers.all(container, !has(container.ports) ||
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.ephemeralContainers[*].ports[*].hostPort
-                must either be unset or set to `0`.
+                Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort,
+                spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
+                must either be unset or set to `0`.