gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Not able to put multiple conditions in rego.

Open bj-1795 opened this issue 2 years ago • 10 comments

I have use case where i want for a specific container name, it should run as root, I have following rego code for this but it is not working as expected.

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sallowedcontainers
  annotations:
    description: >-
      Requires container names to begin with a string from the specified list.
spec:
  crd:
    spec:
      names:
        kind: K8sAllowedcontainers
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          type: object
          properties:
            privcontainers:
              description: The list of prefixes a container name is allowed to have.
              type: array
              items:
                type: string

  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sallowedcontainers
        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
         
          satisfied := [good | repo = input.parameters.privcontainers[_] ; good = startswith(container.name, repo)]
          
          not any(satisfied);  container.securityContext.runAsUser == 0
          msg := "container <%v> has an invalid name repo <%v>, allowed repos are %v"
        }
       ```

bj-1795 avatar Apr 06 '22 15:04 bj-1795

The following rego should work:

package k8sallowedcontainers
violation[{"msg": msg}] {
  container := input.review.object.spec.containers[_]
  repo := input.parameters.privcontainers[_]
  startswith(container.name, repo)
  container.securityContext.runAsUser != 0
  msg := sprintf("container <%v> is not running as root", [container.name])
}

chewong avatar Apr 06 '22 16:04 chewong

Hi @chewong Thank you for the reply but this does not seem to work i applied this code,

Constraint :

kind: K8sAllowedcontainers
metadata:
  name: repo-is-container
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    privcontainers:
      - "nginx"

I was able to able the following Yaml which is not expected,

kind: Pod
metadata:
  name: nginx
  labels:
    env: test
spec:
  securityContext:
    runAsUser: 10
  containers:
  - name: feedback
    image: nginxs
    securityContext:
      runAsUser: 10

bj-1795 avatar Apr 07 '22 05:04 bj-1795

@chewong Could you help me with this?

bj-1795 avatar Apr 11 '22 06:04 bj-1795

Can you try the following YAML:

kind: K8sAllowedcontainers
apiVersion: constraints.gatekeeper.sh/v1beta1
metadata:
  name: repo-is-container
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    privcontainers:
      - "nginx"

chewong avatar Apr 11 '22 16:04 chewong

@chewong Its not working!!

bj-1795 avatar Apr 12 '22 05:04 bj-1795

Example has the container name nginxs, but constraint lists nginx, does that change things?

maxsmythe avatar Apr 12 '22 23:04 maxsmythe

nvm "startswith" is satisfied

maxsmythe avatar Apr 12 '22 23:04 maxsmythe

in @chewong 's example, change startswith(container.name, repo) to startswith(container.image, repo)

maxsmythe avatar Apr 12 '22 23:04 maxsmythe

Got it Thanks @maxsmythe

bj-1795 avatar Apr 13 '22 05:04 bj-1795

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 23 '22 01:07 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 11 '22 06:10 stale[bot]

Closing, looks like the question has been answered. If not, please feel free to re-open the issue.

sozercan avatar Oct 12 '22 23:10 sozercan