fixing CEL code

Signed-off-by: Jaydip Gabani <[email protected]>
open-policy-agent · Oct 24, 2024 · 0b65a32 · 0b65a32
1 parent 42c932d
commit 0b65a32
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 13 deletions.
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.1.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/seccomp/1.1.0/artifacthub-pkg.yml
@@ -3,7 +3,7 @@ name: k8spspseccomp
 displayName: Seccomp
 createdAt: "2024-06-03T13:44:11Z"
 description: Controls the seccomp profile used by containers. Corresponds to the `seccomp.security.alpha.kubernetes.io/allowedProfileNames` annotation on a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
-digest: 4529a9f6a8ede5ae860a81f64e349292986498b2beabe425ddb61aebe61702d8
+digest: 483941dab0df9cb51189b131e309bf927928b69b46ed51986d2f51e30fe758af
 license: Apache-2.0
 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/seccomp
 keywords:

diff --git a/artifacthub/library/pod-security-policy/seccomp/1.1.0/template.yaml b/artifacthub/library/pod-security-policy/seccomp/1.1.0/template.yaml
@@ -120,7 +120,7 @@ spec:
               variables.inputAllowedProfiles.exists(profile, profile == "localhost/*") || variables.derivedAllowedLocalhostFiles.exists(profile, profile == "localhost/*")
           - name: allowedProfiles
             expression: |
-              (variables.allowedProfilesTranslation + variables.derivedAllowedLocalhostFiles).filter(entry, entry != "localhost/*")
+              (variables.allowedProfilesTranslation + variables.derivedAllowedLocalhostFiles)
           - name: hasPodSeccomp
             expression: |
               has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seccompProfile)
@@ -160,7 +160,7 @@ spec:
               has(variables.hasPodSeccomp) && has(variables.anyObject.spec.securityContext.seccompProfile.type) ? 
                 (variables.anyObject.spec.securityContext.seccompProfile.type == "RuntimeDefault" ? (
                   variables.allowedProfiles.exists(profile, profile == "runtime/default") ? "runtime/default" : variables.allowedProfiles.exists(profile, profile == "docker/default") ? "docker/default" : "runtime/default") : 
-                variables.anyObject.spec.securityContext.seccompProfile.type == "Unconfined" ? "unconfined" : variables.anyObject.spec.securityContext.seccompProfile.type == "Localhost" ? "localhost/" + variables.anyObject.spec.securityContext.seccompProfile.localhostProfile : "")
+                variables.anyObject.spec.securityContext.seccompProfile.type == "Unconfined" ? "unconfined" : variables.anyObject.spec.securityContext.seccompProfile.type == "Localhost" ? "localhost/" + variables.podLocalHostProfile : "")
                 : ""
           - name: podSecurityContextProfiles
             expression: |
@@ -205,7 +205,7 @@ spec:
           - name: badContainerProfiles
             expression: |
               variables.allContainerProfiles.filter(badContainerProfile,
-                  !(badContainerProfile.profile in variables.allowedProfiles)
+                  !((badContainerProfile.profile in variables.allowedProfiles) || (badContainerProfile.profile.startsWith("localhost/") && variables.localhostWildcardAllowed))
               ).map(badProfile, "Seccomp profile '" + badProfile.profile + "' is not allowed for container '" + badProfile.container + "'. Found at: " + badProfile.location + ". Allowed profiles: " + variables.allowedProfiles.join(", "))
           validations:
           - expression: 'size(variables.badContainerProfiles) == 0'

diff --git a/library/pod-security-policy/seccomp/template.yaml b/library/pod-security-policy/seccomp/template.yaml
@@ -120,7 +120,7 @@ spec:
               variables.inputAllowedProfiles.exists(profile, profile == "localhost/*") || variables.derivedAllowedLocalhostFiles.exists(profile, profile == "localhost/*")
           - name: allowedProfiles
             expression: |
-              (variables.allowedProfilesTranslation + variables.derivedAllowedLocalhostFiles).filter(entry, entry != "localhost/*")
+              (variables.allowedProfilesTranslation + variables.derivedAllowedLocalhostFiles)
           - name: hasPodSeccomp
             expression: |
               has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seccompProfile)
@@ -160,7 +160,7 @@ spec:
               has(variables.hasPodSeccomp) && has(variables.anyObject.spec.securityContext.seccompProfile.type) ? 
                 (variables.anyObject.spec.securityContext.seccompProfile.type == "RuntimeDefault" ? (
                   variables.allowedProfiles.exists(profile, profile == "runtime/default") ? "runtime/default" : variables.allowedProfiles.exists(profile, profile == "docker/default") ? "docker/default" : "runtime/default") : 
-                variables.anyObject.spec.securityContext.seccompProfile.type == "Unconfined" ? "unconfined" : variables.anyObject.spec.securityContext.seccompProfile.type == "Localhost" ? "localhost/" + variables.anyObject.spec.securityContext.seccompProfile.localhostProfile : "")
+                variables.anyObject.spec.securityContext.seccompProfile.type == "Unconfined" ? "unconfined" : variables.anyObject.spec.securityContext.seccompProfile.type == "Localhost" ? "localhost/" + variables.podLocalHostProfile : "")
                 : ""
           - name: podSecurityContextProfiles
             expression: |
@@ -205,7 +205,7 @@ spec:
           - name: badContainerProfiles
             expression: |
               variables.allContainerProfiles.filter(badContainerProfile,
-                  !(badContainerProfile.profile in variables.allowedProfiles)
+                  !((badContainerProfile.profile in variables.allowedProfiles) || (badContainerProfile.profile.startsWith("localhost/") && variables.localhostWildcardAllowed))
               ).map(badProfile, "Seccomp profile '" + badProfile.profile + "' is not allowed for container '" + badProfile.container + "'. Found at: " + badProfile.location + ". Allowed profiles: " + variables.allowedProfiles.join(", "))
           validations:
           - expression: 'size(variables.badContainerProfiles) == 0'

diff --git a/src/pod-security-policy/seccomp/src.cel b/src/pod-security-policy/seccomp/src.cel
@@ -48,7 +48,7 @@ variables:
     variables.inputAllowedProfiles.exists(profile, profile == "localhost/*") || variables.derivedAllowedLocalhostFiles.exists(profile, profile == "localhost/*")
 - name: allowedProfiles
   expression: |
-    (variables.allowedProfilesTranslation + variables.derivedAllowedLocalhostFiles).filter(entry, entry != "localhost/*")
+    (variables.allowedProfilesTranslation + variables.derivedAllowedLocalhostFiles)
 - name: hasPodSeccomp
   expression: |
     has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seccompProfile)
@@ -88,7 +88,7 @@ variables:
     has(variables.hasPodSeccomp) && has(variables.anyObject.spec.securityContext.seccompProfile.type) ? 
       (variables.anyObject.spec.securityContext.seccompProfile.type == "RuntimeDefault" ? (
         variables.allowedProfiles.exists(profile, profile == "runtime/default") ? "runtime/default" : variables.allowedProfiles.exists(profile, profile == "docker/default") ? "docker/default" : "runtime/default") : 
-      variables.anyObject.spec.securityContext.seccompProfile.type == "Unconfined" ? "unconfined" : variables.anyObject.spec.securityContext.seccompProfile.type == "Localhost" ? "localhost/" + variables.anyObject.spec.securityContext.seccompProfile.localhostProfile : "")
+      variables.anyObject.spec.securityContext.seccompProfile.type == "Unconfined" ? "unconfined" : variables.anyObject.spec.securityContext.seccompProfile.type == "Localhost" ? "localhost/" + variables.podLocalHostProfile : "")
       : ""
 - name: podSecurityContextProfiles
   expression: |
@@ -133,7 +133,7 @@ variables:
 - name: badContainerProfiles
   expression: |
     variables.allContainerProfiles.filter(badContainerProfile,
-        !(badContainerProfile.profile in variables.allowedProfiles)
+        !((badContainerProfile.profile in variables.allowedProfiles) || (badContainerProfile.profile.startsWith("localhost/") && variables.localhostWildcardAllowed))
     ).map(badProfile, "Seccomp profile '" + badProfile.profile + "' is not allowed for container '" + badProfile.container + "'. Found at: " + badProfile.location + ". Allowed profiles: " + variables.allowedProfiles.join(", "))
 validations:
 - expression: 'size(variables.badContainerProfiles) == 0'

diff --git a/website/docs/validation/seccomp.md b/website/docs/validation/seccomp.md
@@ -132,7 +132,7 @@ spec:
               variables.inputAllowedProfiles.exists(profile, profile == "localhost/*") || variables.derivedAllowedLocalhostFiles.exists(profile, profile == "localhost/*")
           - name: allowedProfiles
             expression: |
-              (variables.allowedProfilesTranslation + variables.derivedAllowedLocalhostFiles).filter(entry, entry != "localhost/*")
+              (variables.allowedProfilesTranslation + variables.derivedAllowedLocalhostFiles)
           - name: hasPodSeccomp
             expression: |
               has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seccompProfile)
@@ -172,7 +172,7 @@ spec:
               has(variables.hasPodSeccomp) && has(variables.anyObject.spec.securityContext.seccompProfile.type) ? 
                 (variables.anyObject.spec.securityContext.seccompProfile.type == "RuntimeDefault" ? (
                   variables.allowedProfiles.exists(profile, profile == "runtime/default") ? "runtime/default" : variables.allowedProfiles.exists(profile, profile == "docker/default") ? "docker/default" : "runtime/default") : 
-                variables.anyObject.spec.securityContext.seccompProfile.type == "Unconfined" ? "unconfined" : variables.anyObject.spec.securityContext.seccompProfile.type == "Localhost" ? "localhost/" + variables.anyObject.spec.securityContext.seccompProfile.localhostProfile : "")
+                variables.anyObject.spec.securityContext.seccompProfile.type == "Unconfined" ? "unconfined" : variables.anyObject.spec.securityContext.seccompProfile.type == "Localhost" ? "localhost/" + variables.podLocalHostProfile : "")
                 : ""
           - name: podSecurityContextProfiles
             expression: |
@@ -217,7 +217,7 @@ spec:
           - name: badContainerProfiles
             expression: |
               variables.allContainerProfiles.filter(badContainerProfile,
-                  !(badContainerProfile.profile in variables.allowedProfiles)
+                  !((badContainerProfile.profile in variables.allowedProfiles) || (badContainerProfile.profile.startsWith("localhost/") && variables.localhostWildcardAllowed))
               ).map(badProfile, "Seccomp profile '" + badProfile.profile + "' is not allowed for container '" + badProfile.container + "'. Found at: " + badProfile.location + ". Allowed profiles: " + variables.allowedProfiles.join(", "))
           validations:
           - expression: 'size(variables.badContainerProfiles) == 0'