From 1f46126315a1bc4a15bae1ec21d6287e27581975 Mon Sep 17 00:00:00 2001 From: Mohamed Awnallah Date: Tue, 25 Jun 2024 04:08:29 +0300 Subject: [PATCH] multi: iterate all container types In this commit, we ensure policies apply to `ephemeralContainers`, `initContainers`, and `containers`. Signed-off-by: Mohamed Awnallah --- best-practices/require-probes/require-probes.yaml | 2 +- .../set-karpenter-non-cpu-limits.yaml | 4 ++-- .../add-certificates-volume/add-certificates-volume.yaml | 2 +- other/add-image-as-env-var/add-image-as-env-var.yaml | 2 +- other/annotate-base-images/annotate-base-images.yaml | 2 +- .../block-images-with-volumes.yaml | 2 +- other/block-large-images/block-large-images.yaml | 2 +- other/block-stale-images/block-stale-images.yaml | 2 +- other/check-nvidia-gpu/check-nvidia-gpu.yaml | 2 +- .../deny-commands-in-exec-probe.yaml | 8 ++++---- .../enforce-resources-as-ratio.yaml | 2 +- .../inject-env-var-from-image-label.yaml | 2 +- .../limit-containers-per-pod.yaml | 2 +- .../memory-requests-equal-limits.yaml | 2 +- .../only-trustworthy-registries-set-root.yaml | 2 +- other/prepend-image-registry/prepend-image-registry.yaml | 2 +- .../remove-hostpath-volumes/remove-hostpath-volumes.yaml | 2 +- .../remove-serviceaccount-token.yaml | 2 +- .../replace-image-registry-with-harbor.yaml | 2 +- other/replace-image-registry/replace-image-registry.yaml | 2 +- other/require-base-image/require-base-image.yaml | 2 +- other/require-image-source/require-image-source.yaml | 2 +- other/require-qos-burstable/require-qos-burstable.yaml | 4 ++-- other/require-qos-guaranteed/require-qos-guaranteed.yaml | 2 +- .../require-unique-uid-per-workload.yaml | 2 +- .../resolve-image-to-digest/resolve-image-to-digest.yaml | 2 +- 26 files changed, 31 insertions(+), 31 deletions(-) diff --git a/best-practices/require-probes/require-probes.yaml b/best-practices/require-probes/require-probes.yaml index ac3036c25..9a6b2d1be 100644 --- a/best-practices/require-probes/require-probes.yaml +++ b/best-practices/require-probes/require-probes.yaml @@ -36,7 +36,7 @@ spec: validate: message: "Liveness, readiness, or startup probes are required for all containers." foreach: - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] deny: conditions: all: diff --git a/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml b/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml index 37c18df68..0f5fdeb53 100644 --- a/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml +++ b/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml @@ -25,7 +25,7 @@ spec: - Pod mutate: foreach: - - list: request.object.spec.containers + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] patchStrategicMerge: spec: containers: @@ -43,7 +43,7 @@ spec: - Pod mutate: foreach: - - list: request.object.spec.containers + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] patchStrategicMerge: spec: containers: diff --git a/other/add-certificates-volume/add-certificates-volume.yaml b/other/add-certificates-volume/add-certificates-volume.yaml index ea5b4732d..9897c96a5 100644 --- a/other/add-certificates-volume/add-certificates-volume.yaml +++ b/other/add-certificates-volume/add-certificates-volume.yaml @@ -36,7 +36,7 @@ spec: - UPDATE mutate: foreach: - - list: "request.object.spec.containers" + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] patchStrategicMerge: spec: containers: diff --git a/other/add-image-as-env-var/add-image-as-env-var.yaml b/other/add-image-as-env-var/add-image-as-env-var.yaml index 694fab416..5a3fe183a 100644 --- a/other/add-image-as-env-var/add-image-as-env-var.yaml +++ b/other/add-image-as-env-var/add-image-as-env-var.yaml @@ -26,7 +26,7 @@ spec: - Pod mutate: foreach: - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] patchesJson6902: |- - op: add path: /spec/containers/{{elementIndex}}/env/- diff --git a/other/annotate-base-images/annotate-base-images.yaml b/other/annotate-base-images/annotate-base-images.yaml index 8bdb7ccaa..92f032dff 100644 --- a/other/annotate-base-images/annotate-base-images.yaml +++ b/other/annotate-base-images/annotate-base-images.yaml @@ -33,7 +33,7 @@ spec: value: DELETE mutate: foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/block-images-with-volumes/block-images-with-volumes.yaml b/other/block-images-with-volumes/block-images-with-volumes.yaml index 6f536acd7..10f51b692 100644 --- a/other/block-images-with-volumes/block-images-with-volumes.yaml +++ b/other/block-images-with-volumes/block-images-with-volumes.yaml @@ -32,7 +32,7 @@ spec: validate: message: "Images containing built-in volumes are prohibited." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/block-large-images/block-large-images.yaml b/other/block-large-images/block-large-images.yaml index b98c6e055..5b8af9f7a 100644 --- a/other/block-large-images/block-large-images.yaml +++ b/other/block-large-images/block-large-images.yaml @@ -32,7 +32,7 @@ spec: validate: message: "images with size greater than 2Gi not allowed" foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageSize imageRegistry: diff --git a/other/block-stale-images/block-stale-images.yaml b/other/block-stale-images/block-stale-images.yaml index 6aea5cebd..1b90c2480 100644 --- a/other/block-stale-images/block-stale-images.yaml +++ b/other/block-stale-images/block-stale-images.yaml @@ -26,7 +26,7 @@ spec: validate: message: "Images built more than 6 months ago are prohibited." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/check-nvidia-gpu/check-nvidia-gpu.yaml b/other/check-nvidia-gpu/check-nvidia-gpu.yaml index c44194f96..439b86781 100644 --- a/other/check-nvidia-gpu/check-nvidia-gpu.yaml +++ b/other/check-nvidia-gpu/check-nvidia-gpu.yaml @@ -33,7 +33,7 @@ spec: validate: message: "Images which reserve NVIDIA GPUs must be built to use them." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml b/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml index 31e1c4420..06e5af964 100644 --- a/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml +++ b/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml @@ -26,7 +26,7 @@ spec: - Pod preconditions: all: - - key: "{{ length(request.object.spec.containers[].livenessProbe.exec.command[] || `[]`) }}" + - key: "{{ length(request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[] || `[]`) }}" operator: GreaterThan value: 0 - key: "{{ request.operation }}" @@ -40,12 +40,12 @@ spec: - key: - true operator: AnyIn - value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}" + value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}" - key: - true operator: AnyIn - value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bps\\b',@) }}" + value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bps\\b',@) }}" - key: - true operator: AnyIn - value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bls\\b',@) }}" + value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bls\\b',@) }}" diff --git a/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml b/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml index 5acc54620..89b6d5897 100644 --- a/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml +++ b/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml @@ -34,7 +34,7 @@ spec: validate: message: Limits may not exceed 2.5x the requests. foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" deny: conditions: any: diff --git a/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml b/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml index 7693ee375..056fea964 100644 --- a/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml +++ b/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml @@ -32,7 +32,7 @@ spec: value: DELETE mutate: foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: maintainer imageRegistry: diff --git a/other/limit-containers-per-pod/limit-containers-per-pod.yaml b/other/limit-containers-per-pod/limit-containers-per-pod.yaml index c5fc9bd72..b67a2e735 100644 --- a/other/limit-containers-per-pod/limit-containers-per-pod.yaml +++ b/other/limit-containers-per-pod/limit-containers-per-pod.yaml @@ -35,6 +35,6 @@ spec: deny: conditions: any: - - key: "{{request.object.spec.containers[] | length(@)}}" + - key: "{{request.object.spec.[ephemeralContainers, initContainers, containers][] | length(@)}}" operator: GreaterThan value: "4" \ No newline at end of file diff --git a/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml index 9afeb8f06..829a4dd92 100644 --- a/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml +++ b/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml @@ -27,6 +27,6 @@ spec: deny: conditions: any: - - key: "{{ request.object.spec.containers[?resources.requests.memory!=resources.limits.memory] | length(@) }}" + - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][?resources.requests.memory!=resources.limits.memory] | length(@) }}" operator: NotEquals value: 0 diff --git a/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml b/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml index 03d0a8c3b..374cc2f54 100644 --- a/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml +++ b/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml @@ -32,7 +32,7 @@ spec: validate: message: "Images with root user are not allowed to be pulled from any registry other than ghcr.io." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/prepend-image-registry/prepend-image-registry.yaml b/other/prepend-image-registry/prepend-image-registry.yaml index a1509349f..a9d923b44 100644 --- a/other/prepend-image-registry/prepend-image-registry.yaml +++ b/other/prepend-image-registry/prepend-image-registry.yaml @@ -34,7 +34,7 @@ spec: - UPDATE mutate: foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" patchStrategicMerge: spec: containers: diff --git a/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml b/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml index 706ed941d..8be457d27 100644 --- a/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml +++ b/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml @@ -46,7 +46,7 @@ spec: patchesJson6902: |- - path: /spec/volumes/{{elementIndex}} op: remove - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] foreach: - list: " element.volumeMounts || `[]` " order: Descending diff --git a/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml b/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml index a8b1f9193..f6126a1be 100644 --- a/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml +++ b/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml @@ -58,7 +58,7 @@ spec: patchesJson6902: |- - path: /spec/volumes/{{elementIndex}} op: remove - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] foreach: - list: element.volumeMounts order: Descending diff --git a/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml b/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml index be06f4c42..fa76ce491 100755 --- a/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml +++ b/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml @@ -46,7 +46,7 @@ spec: initContainers: - name: "{{ element.name }}" image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}} - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] context: - name: imageData imageRegistry: diff --git a/other/replace-image-registry/replace-image-registry.yaml b/other/replace-image-registry/replace-image-registry.yaml index 85df58aa0..9f69ccf5a 100644 --- a/other/replace-image-registry/replace-image-registry.yaml +++ b/other/replace-image-registry/replace-image-registry.yaml @@ -32,7 +32,7 @@ spec: - Pod mutate: foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" patchStrategicMerge: spec: containers: diff --git a/other/require-base-image/require-base-image.yaml b/other/require-base-image/require-base-image.yaml index 99f77be7c..ab243094f 100644 --- a/other/require-base-image/require-base-image.yaml +++ b/other/require-base-image/require-base-image.yaml @@ -37,7 +37,7 @@ spec: validate: message: "Images must specify a source/base image from which they are built." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/require-image-source/require-image-source.yaml b/other/require-image-source/require-image-source.yaml index 3f475a19b..187336fc8 100644 --- a/other/require-image-source/require-image-source.yaml +++ b/other/require-image-source/require-image-source.yaml @@ -34,7 +34,7 @@ spec: validate: message: "The image source must be specified in a label or annotation." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/other/require-qos-burstable/require-qos-burstable.yaml b/other/require-qos-burstable/require-qos-burstable.yaml index bbb5810e5..05956a907 100644 --- a/other/require-qos-burstable/require-qos-burstable.yaml +++ b/other/require-qos-burstable/require-qos-burstable.yaml @@ -32,7 +32,7 @@ spec: all: - key: requests operator: AnyNotIn - value: "{{ request.object.spec.containers[].resources.keys(@)[] }}" + value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].resources.keys(@)[] }}" - key: limits operator: AnyNotIn - value: "{{ request.object.spec.containers[].resources.keys(@)[] }}" \ No newline at end of file + value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].resources.keys(@)[] }}" \ No newline at end of file diff --git a/other/require-qos-guaranteed/require-qos-guaranteed.yaml b/other/require-qos-guaranteed/require-qos-guaranteed.yaml index 8f1f0f3ac..9ae84f0c7 100644 --- a/other/require-qos-guaranteed/require-qos-guaranteed.yaml +++ b/other/require-qos-guaranteed/require-qos-guaranteed.yaml @@ -29,7 +29,7 @@ spec: validate: message: "All containers must define memory and CPU requests and limits where they are equal." foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" pattern: resources: requests: diff --git a/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml b/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml index 653b8edcb..d09095f54 100644 --- a/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml +++ b/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml @@ -46,6 +46,6 @@ spec: conditions: # this checks uids for ALL containers in any pod of the workload all: - - key: "{{ request.object.spec.containers[].securityContext.to_string(runAsUser) }}" + - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.to_string(runAsUser) }}" operator: AnyIn value: "{{ uidsAllPodsExceptSameOwnerAsRequestObject }}" \ No newline at end of file diff --git a/other/resolve-image-to-digest/resolve-image-to-digest.yaml b/other/resolve-image-to-digest/resolve-image-to-digest.yaml index cfad5568e..aa980c510 100644 --- a/other/resolve-image-to-digest/resolve-image-to-digest.yaml +++ b/other/resolve-image-to-digest/resolve-image-to-digest.yaml @@ -30,7 +30,7 @@ spec: value: DELETE mutate: foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: resolvedRef imageRegistry: