Skip to content

Conversation

@JaydipGabani
Copy link
Contributor

@JaydipGabani JaydipGabani commented May 22, 2024

What this PR does / why we need it:

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #541

Special notes for your reviewer:

@JaydipGabani JaydipGabani requested a review from a team as a code owner May 22, 2024 21:17
Signed-off-by: Jaydip Gabani <[email protected]>
@JaydipGabani JaydipGabani assigned maxsmythe and unassigned maxsmythe May 29, 2024
@JaydipGabani JaydipGabani changed the title chore: adding cel for psp/volume and pss/selinux chore: adding cel for psp/volume and psp/selinux May 29, 2024
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment on pod-level check

Signed-off-by: Jaydip Gabani <[email protected]>
@JaydipGabani JaydipGabani requested a review from maxsmythe June 3, 2024 22:33
Copy link
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! LGTM

@stale
Copy link

stale bot commented Dec 3, 2024

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 3, 2024
variables:
- name: usingAllowedSELinuxOptions
expression: |
has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seLinuxOptions) ?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test looks wrong. Shouldn't we be assuming an option is disallowed unless specifically allowed by parameters?

As-written, it looks like undefined parameters => allow everything, which would seem to drift from the rego.

Adding gator tests for this would validate the drift.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! I fixed it, it should be in parity with rego now.

@JaydipGabani
Copy link
Contributor Author

@sozercan @maxsmythe @ritazh as of now the rego written for policy will deny a pod when disallowed seLinuxOptions are defined at pod level but the container is exempt. Is that intended behavior?

has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seLinuxOptions) ?
(has(variables.params.allowedSELinuxOptions) ?
(
size(variables.params.allowedSELinuxOptions) > 0 && variables.params.allowedSELinuxOptions.all(opts,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think .all() is correct here, the way the rego reads, at least one provided allowedSELinuxOptions must be satisfied.

As always, verify with testing.

(
size(variables.params.allowedSELinuxOptions) > 0 && variables.params.allowedSELinuxOptions.all(opts,
(has(opts.level) ? has(variables.anyObject.spec.securityContext.seLinuxOptions.level) && (variables.anyObject.spec.securityContext.seLinuxOptions.level == opts.level) : !has(variables.anyObject.spec.securityContext.seLinuxOptions.level)) &&
(has(opts.role) ? has(variables.anyObject.spec.securityContext.seLinuxOptions.role) && (variables.anyObject.spec.securityContext.seLinuxOptions.role == opts.role) : !has(variables.anyObject.spec.securityContext.seLinuxOptions.role)) &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned in previous comment, this seems incorrect. It looks like you are disabling the check if the params side is undefined, as opposed to skipping if securityContext side is undefined.

Previous comment:

This test looks wrong. Shouldn't we be assuming an option is disallowed unless specifically allowed by parameters?

As-written, it looks like undefined parameters => allow everything, which would seem to drift from the rego.

Adding gator tests for this would validate the drift.

Please add the gator tests for this scenario, relying on reviewers to catch this drift consistently is brittle.

) :
true)
: true
- name: containers
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not looked at containers code, but I'm guessing it will need to be modified to comply with pod level code.

@stale
Copy link

stale bot commented Apr 15, 2025

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Apr 15, 2025
@stale
Copy link

stale bot commented Jun 14, 2025

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jun 14, 2025
@JaydipGabani
Copy link
Contributor Author

Not stale

@stale stale bot removed the stale label Jun 16, 2025
@stale
Copy link

stale bot commented Aug 15, 2025

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Aug 15, 2025
@JaydipGabani
Copy link
Contributor Author

not stale

@stale stale bot removed the stale label Aug 18, 2025
@stale
Copy link

stale bot commented Oct 17, 2025

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add CEL code for PSP Policies in library

4 participants