updating CEL

Signed-off-by: Jaydip Gabani <[email protected]>
open-policy-agent · Oct 30, 2024 · 3a23903 · 3a23903
1 parent 1c04d37
commit 3a23903
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 5 deletions.
diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/artifacthub-pkg.yml
@@ -3,7 +3,7 @@ name: k8spsphostnamespace
 displayName: Host Namespace
 createdAt: "2024-06-04T20:21:50Z"
 description: Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the `hostPID` and `hostIPC` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
-digest: 5e4f8501fb48a18710d435ac83273b74420023033265ca8f5eb385aec4c345f7
+digest: 9fa3daeeb776d34c8197c11f18781ec607530ec386abea856aa61d65ce90412b
 license: Apache-2.0
 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/host-namespaces
 keywords:

diff --git a/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/template.yaml b/artifacthub/library/pod-security-policy/host-namespaces/1.1.0/template.yaml
@@ -30,9 +30,15 @@ spec:
       - engine: K8sNativeValidation
         source:
           variables:
+          - name: sharingHostIPC
+            expression: |
+              has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostIPC : false
+          - name: sharingHostPID
+            expression: |
+              has(variables.anyObject.spec.hostPID) ? variables.anyObject.spec.hostPID : false
           - name: sharingNamespace
             expression: |
-              has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false
+              variables.sharingHostIPC || variables.sharingHostPID
           validations:
           - expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace'
             messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace'

diff --git a/library/pod-security-policy/host-namespaces/template.yaml b/library/pod-security-policy/host-namespaces/template.yaml
@@ -30,9 +30,15 @@ spec:
       - engine: K8sNativeValidation
         source:
           variables:
+          - name: sharingHostIPC
+            expression: |
+              has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostIPC : false
+          - name: sharingHostPID
+            expression: |
+              has(variables.anyObject.spec.hostPID) ? variables.anyObject.spec.hostPID : false
           - name: sharingNamespace
             expression: |
-              has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false
+              variables.sharingHostIPC || variables.sharingHostPID
           validations:
           - expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace'
             messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace'

diff --git a/src/pod-security-policy/host-namespaces/src.cel b/src/pod-security-policy/host-namespaces/src.cel
@@ -1,7 +1,13 @@
 variables:
+- name: sharingHostIPC
+  expression: |
+    has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostIPC : false
+- name: sharingHostPID
+  expression: |
+    has(variables.anyObject.spec.hostPID) ? variables.anyObject.spec.hostPID : false
 - name: sharingNamespace
   expression: |
-    has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false
+    variables.sharingHostIPC || variables.sharingHostPID
 validations:
 - expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace'
   messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace'
diff --git a/website/docs/validation/host-namespaces.md b/website/docs/validation/host-namespaces.md
@@ -42,9 +42,15 @@ spec:
       - engine: K8sNativeValidation
         source:
           variables:
+          - name: sharingHostIPC
+            expression: |
+              has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostIPC : false
+          - name: sharingHostPID
+            expression: |
+              has(variables.anyObject.spec.hostPID) ? variables.anyObject.spec.hostPID : false
           - name: sharingNamespace
             expression: |
-              has(variables.anyObject.spec.hostPID) || has(variables.anyObject.spec.hostIPC) ? variables.anyObject.spec.hostPID || variables.anyObject.spec.hostIPC : false
+              variables.sharingHostIPC || variables.sharingHostPID
           validations:
           - expression: '(has(request.operation) && request.operation == "UPDATE") || !variables.sharingNamespace'
             messageExpression: '"Sharing the host namespace is not allowed: " + variables.anyObject.metadata.namespace'