fix: use cel.expression.message instead of validate.message

Signed-off-by: Mariam Fahmy <[email protected]>

pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.22-1.23"
   kyverno/subject: "Pod"
-digest: 4cea74dff32982603a7ec8fc548785a2bfdcaadfead1c5f6bf107ebf0cdf8b68
+digest: 6a0ace9b1f5b3f25b34117db4936ba32c4fcbbdfe3d0dba9e61b6152dede3a53

pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml

@@ -22,10 +22,6 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
-          FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
-          are disallowed.
         cel:
           expressions:
             - expression: >-
@@ -35,6 +31,10 @@ spec:
                 !has(container.securityContext.capabilities.add) ||
                 container.securityContext.capabilities.add.all(capability,
                 ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
+              message: >-
+                Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
+                FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
+                are disallowed.
     
             - expression: >-
                 !has(object.spec.initContainers) || 
@@ -43,6 +43,10 @@ spec:
                 !has(container.securityContext.capabilities.add) || 
                 container.securityContext.capabilities.add.all(capability, 
                 ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
+              message: >-
+                Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
+                FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
+                are disallowed.
               
             - expression: >- 
                 !has(object.spec.ephemeralContainers) ||
@@ -51,3 +55,7 @@ spec:
                 !has(container.securityContext.capabilities.add) ||
                 container.securityContext.capabilities.add.all(capability,
                 ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability)))
+              message: >-
+                Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
+                FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
+                are disallowed.

pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.22-1.23"
   kyverno/subject: "Pod"
-digest: 1e63e617693ec58e3bce1f6c2910f053f8cadda3bae5e301b765261214cb4a5c
+digest: 82a3924f4d25ed9bfc8e49395c7b0e8922f5ad0573830747dd3cf96dfb93ad7a

pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml

@@ -25,12 +25,12 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
-          spec.hostIPC, and spec.hostPID must be unset or set to `false`.
         cel:
           expressions:
             - expression: >-
                 (!has(object.spec.hostNetwork) || object.spec.hostNetwork == false) &&
                 (!has(object.spec.hostIPC) || object.spec.hostIPC == false) &&
                 (!has(object.spec.hostPID) || object.spec.hostPID == false)
+              message: >-
+                Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
+                spec.hostIPC, and spec.hostPID must be unset or set to `false`.

pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline)"
   kyverno/kubernetesVersion: "1.22-1.23"
   kyverno/subject: "Pod,Volume"
-digest: 4e7a1c820d02531134a1416311d5922a6a2a50d075680a79eb6fad507995941f
+digest: 8f309db940eca3692840c78e2662ff0c25fa718cf0f468b58cdfd4c3d1011274

pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml

@@ -24,8 +24,7 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
         cel:
           expressions:
             - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
+              message: "HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset"

pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.22-1.23"
   kyverno/subject: "Pod"
-digest: 478b21d1b284b98b28068fc9f2bbf711fe3998abe363bc1911f34dc2200060bc
+digest: 5162e3082e39a94078ee5137eb95c0230ab22def7332ff3cae007862f67f5eec

pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml

@@ -24,20 +24,24 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          The only permitted hostPorts are in the range 5000-6000.
         cel:
           expressions:
             - expression: >- 
                 object.spec.containers.all(container, !has(container.ports) ||
                 container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))
+              message: >-
+                The only permitted hostPorts are in the range 5000-6000.
 
             - expression: >- 
                 !has(object.spec.initContainers) ||
                 object.spec.initContainers.all(container, !has(container.ports) ||
                 container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))
+              message: >-
+                The only permitted hostPorts are in the range 5000-6000.
 
             - expression: >- 
                 !has(object.spec.ephemeralContainers) ||
                 object.spec.ephemeralContainers.all(container, !has(container.ports) ||
                 container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))
+              message: >-
+                The only permitted hostPorts are in the range 5000-6000.

pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.22-1.23"
   kyverno/subject: "Pod"
-digest: d6fac569ee432e57af4d07e046ac31922d4f55e00dcaf66064cc7bc0426b7839
+digest: e5c3baa87ccb5cbbaeb6594e12e4781c8fca0d72a5a513b2a6f8efc80e00b200

pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml

@@ -24,22 +24,27 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
-          , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
-          must either be unset or set to `0`.
         cel:
           expressions:
             - expression: >- 
                 object.spec.containers.all(container, !has(container.ports) || 
                 container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
+              message: >-
+                Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort
+                must either be unset or set to `0`.
 
             - expression: >- 
                 !has(object.spec.initContainers) || 
                 object.spec.initContainers.all(container, !has(container.ports) || 
                 container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
+              message: >-
+                Use of host ports is disallowed. The field spec.initContainers[*].ports[*].hostPort
+                must either be unset or set to `0`.
 
             - expression: >- 
                 !has(object.spec.ephemeralContainers) ||
                 object.spec.ephemeralContainers.all(container, !has(container.ports) ||
                 container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
+              message: >-
+                Use of host ports is disallowed. The field spec.ephemeralContainers[*].ports[*].hostPort
+                must either be unset or set to `0`.

pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml

@@ -19,4 +19,4 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.22-1.23"
   kyverno/subject: "Pod"
-digest: 71667d051762fdebded4af34bca72e5cd84007a3323fa00afc66cc724eb19352
+digest: 33a4b3765e2a54711df4379c41babb8b92f748d784bc79df049fb4fd225633a1

pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml

@@ -25,29 +25,33 @@ spec:
             kinds:
               - Pod
       validate:
-        message: >-
-          HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
-          spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,
-          and spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined
-          or set to `false`.
         cel:
           expressions:
             - expression: >- 
                 object.spec.containers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.windowsOptions) ||
                 !has(container.securityContext.windowsOptions.hostProcess) ||
                 container.securityContext.windowsOptions.hostProcess == false)
+              message: >-
+                HostProcess containers are disallowed. The field spec.containers[*].securityContext.windowsOptions.hostProcess
+                must either be undefined or set to `false`.
 
             - expression: >- 
                 !has(object.spec.initContainers) ||
                 object.spec.initContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.windowsOptions) ||
                 !has(container.securityContext.windowsOptions.hostProcess) ||
                 container.securityContext.windowsOptions.hostProcess == false)
+              message: >-
+                HostProcess containers are disallowed. The field spec.initContainers[*].securityContext.windowsOptions.hostProcess
+                must either be undefined or set to `false`.
 
             - expression: >- 
                 !has(object.spec.ephemeralContainers) ||
                 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
                 !has(container.securityContext.windowsOptions) ||
                 !has(container.securityContext.windowsOptions.hostProcess) ||
                 container.securityContext.windowsOptions.hostProcess == false)
+              message: >-
+                HostProcess containers are disallowed. The field spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess
+                must either be undefined or set to `false`.