fix: use cel.expression.message instead of validate.message

Signed-off-by: Mariam Fahmy <[email protected]>
kyverno · Nov 7, 2023 · 5bf1775 · 5bf1775
1 parent 4caf22a
commit 5bf1775
Show file tree

Hide file tree

Showing 10 changed files with 65 additions and 38 deletions.
diff --git a/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 0c27d86370715bfe2fcae86c9390ca2e95f889f350a3153ba8685fdb5f5a8755
+digest: 4c48385be967ef691a8d8fc839497328e9b4cfdfdd0fd767949e9f0299ba966e
diff --git a/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml b/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml
@@ -23,24 +23,30 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
-          and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.
         cel:
           expressions:
             - expression: >-
                 object.spec.containers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.privileged) ||
                 container.securityContext.privileged == false)
+              message: >-
+                Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
+                must be unset or set to `false`.
 
             - expression: >-
                 !has(object.spec.initContainers) ||
                 object.spec.initContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.privileged) ||
                 container.securityContext.privileged == false)
+              message: >-
+                Privileged mode is disallowed. The fields spec.initContainers[*].securityContext.privileged
+                must be unset or set to `false`.
 
             - expression: >-
                 !has(object.spec.ephemeralContainers) ||
                 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.privileged) ||
                 container.securityContext.privileged == false)
+              message: >-
+                Privileged mode is disallowed. The fields spec.ephemeralContainers[*].securityContext.privileged
+                must be unset or set to `false`.
diff --git a/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: ae39abc105a9d5739fdfbd384e8339e60c38958ffdefb13d0d440df2a08414fd
+digest: 48fbac14beda4385f57f55e55b84f99cfed3f8b5e88ab6c60046fdde00bf1273
diff --git a/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml b/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml
@@ -25,26 +25,30 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Changing the proc mount from the default is not allowed. The fields
-          spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
-          and spec.ephemeralContainers[*].securityContext.procMount must be unset or
-          set to `Default`.
         cel:
           expressions:
             - expression: >- 
                 object.spec.containers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.procMount) ||
                 container.securityContext.procMount == 'Default')
+              message: >-
+                Changing the proc mount from the default is not allowed. The field
+                spec.containers[*].securityContext.procMount must be unset or set to `Default`.
       
             - expression: >-
                 !has(object.spec.initContainers) ||
                 object.spec.initContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.procMount) ||
                 container.securityContext.procMount == 'Default')
+              message: >-
+                Changing the proc mount from the default is not allowed. The field
+                spec.initContainers[*].securityContext.procMount must be unset or set to `Default`.
               
             - expression: >- 
                 !has(object.spec.ephemeralContainers) ||
                 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.procMount) ||
                 container.securityContext.procMount == 'Default')
+              message: >-
+                Changing the proc mount from the default is not allowed. The field
+                spec.ephemeralContainers[*].securityContext.procMount must be unset or set to `Default`.
diff --git a/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 47a3234e468d8f471a46a9a49fb053f6ae8a6576ecc732f34f9535e11feea43b
+digest: d6379e3637a2df6d05a1613d7a000aff5cf4f6f4cc983395574238cdd225fa39
diff --git a/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml b/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml
@@ -23,11 +23,6 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Setting the SELinux type is restricted. The fields
-          spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
-          , spec.initContainers[*].securityContext.seLinuxOptions, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
-          must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
         cel:
           expressions:
             - expression: >- 
@@ -37,6 +32,9 @@ spec:
                 object.spec.securityContext.seLinuxOptions.type == 'container_t' ||
                 object.spec.securityContext.seLinuxOptions.type == 'container_init_t' ||
                 object.spec.securityContext.seLinuxOptions.type == 'container_kvm_t'
+              message: >-
+                Setting the SELinux type is restricted. The field spec.securityContext.seLinuxOptions.type 
+                must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
 
             - expression: >-
                 object.spec.containers.all(container, !has(container.securityContext) ||
@@ -45,6 +43,9 @@ spec:
                 container.securityContext.seLinuxOptions.type == 'container_t' ||
                 container.securityContext.seLinuxOptions.type == 'container_init_t' ||
                 container.securityContext.seLinuxOptions.type == 'container_kvm_t')
+              message: >-
+                Setting the SELinux type is restricted. The field spec.containers[*].securityContext.seLinuxOptions.type 
+                must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
 
             - expression: >- 
                 !has(object.spec.initContainers) ||
@@ -54,6 +55,9 @@ spec:
                 container.securityContext.seLinuxOptions.type == 'container_t' ||
                 container.securityContext.seLinuxOptions.type == 'container_init_t' ||
                 container.securityContext.seLinuxOptions.type == 'container_kvm_t')
+              message: >-
+                Setting the SELinux type is restricted. The field spec.initContainers[*].securityContext.seLinuxOptions.type 
+                must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
 
             - expression: >- 
                 !has(object.spec.ephemeralContainers) ||
@@ -63,40 +67,48 @@ spec:
                 container.securityContext.seLinuxOptions.type == 'container_t' ||
                 container.securityContext.seLinuxOptions.type == 'container_init_t' ||
                 container.securityContext.seLinuxOptions.type == 'container_kvm_t')
+              message: >-
+                Setting the SELinux type is restricted. The field spec.ephemeralContainers[*].securityContext.seLinuxOptions.type 
+                must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
     - name: selinux-user-role
       match:
         any:
         - resources:
             kinds:
               - Pod
       validate:
-        message: >-
-          Setting the SELinux user or role is forbidden. The fields
-          spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,
-          spec.containers[*].securityContext.seLinuxOptions.user, spec.containers[*].securityContext.seLinuxOptions.role,
-          spec.initContainers[*].securityContext.seLinuxOptions.user, spec.initContainers[*].securityContext.seLinuxOptions.role,
-          spec.ephemeralContainers[*].securityContext.seLinuxOptions.user, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role
-          must be unset.
         cel:
           expressions:
             - expression: >- 
                 !has(object.spec.securityContext) ||
                 !has(object.spec.securityContext.seLinuxOptions) ||
                 (!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role))
+              message: >-
+                Setting the SELinux user or role is forbidden. The fields
+                spec.securityContext.seLinuxOptions.user and spec.securityContext.seLinuxOptions.role must be unset.
 
             - expression: >- 
                 object.spec.containers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.seLinuxOptions) ||
                 (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
+              message: >-
+                Setting the SELinux user or role is forbidden. The fields
+                spec.containers[*].securityContext.seLinuxOptions.user and spec.containers[*].securityContext.seLinuxOptions.role must be unset.
 
             - expression: >- 
                 !has(object.spec.initContainers) ||
                 object.spec.initContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.seLinuxOptions) ||
                 (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
+              message: >-
+                Setting the SELinux user or role is forbidden. The fields
+                spec.initContainers[*].securityContext.seLinuxOptions.user and spec.initContainers[*].securityContext.seLinuxOptions.role must be unset.
 
             - expression: >- 
                 !has(object.spec.ephemeralContainers) ||
                 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.seLinuxOptions) ||
                 (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
+              message: >-
+                Setting the SELinux user or role is forbidden. The fields
+                spec.ephemeralContainers[*].securityContext.seLinuxOptions.user and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role must be unset.
diff --git a/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: e3a77f1b737082075994a31468cbd0b8d578c4514d112bda9ee4fb7e0edd8ce6
+digest: 047609777a0e1185127b20051beb2c07c98c8afd584602ecf2d1efd9d830b1c5
diff --git a/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml b/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml
@@ -24,13 +24,6 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Use of custom Seccomp profiles is disallowed. The fields
-          spec.securityContext.seccompProfile.type,
-          spec.containers[*].securityContext.seccompProfile.type,
-          spec.initContainers[*].securityContext.seccompProfile.type, and
-          spec.ephemeralContainers[*].securityContext.seccompProfile.type
-          must be unset or set to `RuntimeDefault` or `Localhost`.
         cel:
           expressions:
             - expression: >- 
@@ -39,13 +32,19 @@ spec:
                 !has(object.spec.securityContext.seccompProfile.type) ||
                 object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' ||
                 object.spec.securityContext.seccompProfile.type == 'Localhost'
+              message: >-
+                Use of custom Seccomp profiles is disallowed. The field
+                spec.securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`.
 
             - expression: >- 
                 object.spec.containers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.seccompProfile) ||
                 !has(container.securityContext.seccompProfile.type) ||
                 container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
                 container.securityContext.seccompProfile.type == 'Localhost')
+              message: >-
+                Use of custom Seccomp profiles is disallowed. The field
+                spec.containers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`.
 
             - expression: >- 
                 !has(object.spec.initContainers) ||
@@ -54,6 +53,9 @@ spec:
                 !has(container.securityContext.seccompProfile.type) ||
                 container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
                 container.securityContext.seccompProfile.type == 'Localhost')
+              message: >-
+                Use of custom Seccomp profiles is disallowed. The field
+                spec.initContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`.
 
             - expression: >- 
                 !has(object.spec.ephemeralContainers) ||
@@ -62,3 +64,6 @@ spec:
                 !has(container.securityContext.seccompProfile.type) ||
                 container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
                 container.securityContext.seccompProfile.type == 'Localhost')
+              message: >-
+                Use of custom Seccomp profiles is disallowed. The field
+                spec.ephemeralContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`.
diff --git a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 9434617911682d4d4913a417cdc95e1405fd868a0f835d20d8253b0d65760658
+digest: be45deb93071e4e2e062f431d4c14f404e538c12fa6a387beb9f6053d9d4f535
diff --git a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml
@@ -27,12 +27,6 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Setting additional sysctls above the allowed type is disallowed.
-          The field spec.securityContext.sysctls must be unset or not use any other names
-          than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
-          net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
-          net.ipv4.ping_group_range.
         cel:
           expressions:
             - expression: >- 
@@ -44,3 +38,9 @@ spec:
                 sysctl.name == 'net.ipv4.ip_unprivileged_port_start' ||
                 sysctl.name == 'net.ipv4.tcp_syncookies' ||
                 sysctl.name == 'net.ipv4.ping_group_range')
+              message: >-
+                Setting additional sysctls above the allowed type is disallowed.
+                The field spec.securityContext.sysctls must be unset or not use any other names
+                than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
+                net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
+                net.ipv4.ping_group_range.