Merge branch 'master' into vap-test

.github/workflows/codeql.yml

@@ -50,7 +50,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/scorecards.yml

@@ -63,14 +63,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           sarif_file: results.sarif

.github/workflows/scripts.yaml

@@ -22,7 +22,7 @@ jobs:
       matrix:
         folder: [artifacthub, require-sync, validate, website]
     steps:
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: '1.20'
           cache: false

.github/workflows/workflow.yaml

@@ -94,7 +94,7 @@ jobs:
           kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         if: ${{ always() }}
         with:
           name: logs-int-test-${{ matrix.gatekeeper }}-${{ matrix.engine }}

artifacthub/library/pod-security-policy/fsgroup/1.0.2/samples/psp-fsgroup/constraint2.yaml

@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPFSGroup
+metadata:
+  name: psp-fsgroup
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    ranges:
+    - min: 1
+      max: 1000

artifacthub/library/pod-security-policy/fsgroup/1.1.0/README.md

@@ -0,0 +1,7 @@
+# Deprecated
+
+**This Policy is deprecated**
+
+Please use the FSGroup settings on the users policy to enforce FSGroup Settings.
+
+[Users Policy](../users)

artifacthub/library/pod-security-policy/fsgroup/1.1.0/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.1.0
+name: k8spspfsgroup
+displayName: FS Group
+createdAt: "2024-07-08T22:14:40Z"
+description: Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+digest: b0c1dada1dd06b897676e480a7a1439cc339cd9d1703dc0dbb4329e0b89ba4bd
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/fsgroup
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # FS Group
+    Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the `fsGroup` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/fsgroup/1.1.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/pod-security-policy/fsgroup/1.1.0/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/constraint.yaml

@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPFSGroup
+metadata:
+  name: psp-fsgroup
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
+    ranges:
+    - min: 1
+      max: 1000

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/constraint2.yaml

@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPFSGroup
+metadata:
+  name: psp-fsgroup
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    ranges:
+    - min: 1
+      max: 1000

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/constraint3.yaml

@@ -0,0 +1,12 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPFSGroup
+metadata:
+  name: psp-fsgroup
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    rule: "MustRunAs" #"MayRunAs", "RunAsAny"
+    ranges: [] # empty ranges should result in violation

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/example_allowed.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: fsgroup-allowed
+spec:
+  securityContext:
+    fsGroup: 500 # directory will have group ID 500
+  volumes:
+    - name: fsgroup-demo-vol
+      emptyDir: {}
+  containers:
+    - name: fsgroup-demo
+      image: busybox
+      command: ["sh", "-c", "sleep 1h"]
+      volumeMounts:
+        - name: fsgroup-demo-vol
+          mountPath: /data/demo

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/example_disallowed.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: fsgroup-disallowed
+spec:
+  securityContext:
+    fsGroup: 2000                           # directory will have group ID 2000
+  volumes:
+  - name: fsgroup-demo-vol
+    emptyDir: {}
+  containers:
+  - name: fsgroup-demo
+    image: busybox
+    command: [ "sh", "-c", "sleep 1h" ]
+    volumeMounts:
+    - name: fsgroup-demo-vol
+      mountPath: /data/demo

artifacthub/library/pod-security-policy/fsgroup/1.1.0/samples/psp-fsgroup/update.yaml

@@ -0,0 +1,22 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+  operation: "UPDATE"
+  object:
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: fsgroup-disallowed
+    spec:
+      securityContext:
+        fsGroup: 2000 # directory will have group ID 2000
+      volumes:
+      - name: fsgroup-demo-vol
+        emptyDir: {}
+      containers:
+      - name: fsgroup-demo
+        image: busybox
+        command: [ "sh", "-c", "sleep 1h" ]
+        volumeMounts:
+        - name: fsgroup-demo-vol
+          mountPath: /data/demo

artifacthub/library/pod-security-policy/fsgroup/1.1.0/suite.yaml

@@ -0,0 +1,53 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: fsgroup
+tests:
+  - name: fsgroup
+    template: template.yaml
+    constraint: samples/psp-fsgroup/constraint.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-fsgroup/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-allowed
+        object: samples/psp-fsgroup/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-fsgroup/update.yaml
+        assertions:
+          - violations: no
+  - name: fsgroup-no-rules
+    template: template.yaml
+    constraint: samples/psp-fsgroup/constraint2.yaml
+    cases:
+      - name: example-allowed
+        object: samples/psp-fsgroup/example_disallowed.yaml
+        assertions:
+          - violations: no
+      - name: example-allowed
+        object: samples/psp-fsgroup/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-fsgroup/update.yaml
+        assertions:
+          - violations: no
+  - name: fsgroup-empty-ranges
+    template: template.yaml
+    constraint: samples/psp-fsgroup/constraint3.yaml
+    cases:
+      - name: example-disallowed-2000
+        object: samples/psp-fsgroup/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-disallowed-500
+        object: samples/psp-fsgroup/example_allowed.yaml
+        assertions:
+          - violations: yes
+      - name: update
+        object: samples/psp-fsgroup/update.yaml
+        assertions:
+          - violations: no

artifacthub/library/pod-security-policy/fsgroup/1.1.0/template.yaml

@@ -0,0 +1,127 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8spspfsgroup
+  annotations:
+    metadata.gatekeeper.sh/title: "FS Group"
+    metadata.gatekeeper.sh/version: 1.1.0
+    description: >-
+      Controls allocating an FSGroup that owns the Pod's volumes. Corresponds
+      to the `fsGroup` field in a PodSecurityPolicy. For more information, see
+      https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sPSPFSGroup
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          description: >-
+            Controls allocating an FSGroup that owns the Pod's volumes. Corresponds
+            to the `fsGroup` field in a PodSecurityPolicy. For more information, see
+            https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+          properties:
+            rule:
+              description: "An FSGroup rule name."
+              enum:
+                - MayRunAs
+                - MustRunAs
+                - RunAsAny
+              type: string
+            ranges:
+              type: array
+              description: "GID ranges affected by the rule."
+              items:
+                type: object
+                properties:
+                  min:
+                    description: "The minimum GID in the range, inclusive."
+                    type: integer
+                  max:
+                    description: "The maximum GID in the range, inclusive."
+                    type: integer
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+      - engine: K8sNativeValidation
+        source:
+          variables:
+          - name: isUpdate
+            expression: has(request.operation) && request.operation == "UPDATE"
+          - name: fsGroup
+            expression: '!has(variables.anyObject.spec.securityContext) ? "" : !has(variables.anyObject.spec.securityContext.fsGroup) ? "" : variables.anyObject.spec.securityContext.fsGroup'
+          - name: ruleString
+            expression: |
+              !has(variables.params.rule) ? "unspecified" : string(variables.params.rule)
+          - name: rangesString
+            expression: |
+              !has(variables.params.ranges) ? "unspecified" : size(variables.params.ranges) == 0 ? "empty" : variables.params.ranges.map(r, string(r)).join(", ")
+          - name: input_fsGroup_allowed
+            expression: |
+              !has(variables.params.rule) ? true : variables.params.rule == "RunAsAny" ? true : variables.params.rule == "MayRunAs" && variables.fsGroup == "" ? true : (variables.params.rule == "MayRunAs" || variables.params.rule == "MustRunAs") && has(variables.params.ranges) && size(variables.params.ranges) > 0 ? variables.params.ranges.exists(range, range.min <= variables.fsGroup && range.max >= variables.fsGroup) : false
+          validations:
+          - expression: 'variables.isUpdate || variables.input_fsGroup_allowed'
+            messageExpression: '"The provided pod spec fsGroup is not allowed, pod: " + variables.anyObject.metadata.name + ". Allowed fsGroup rule: " + variables.ruleString + ", allowed fsGroup ranges: " + variables.rangesString'
+      - engine: Rego
+        source:
+          rego: |
+            package k8spspfsgroup
+
+            import data.lib.exclude_update.is_update
+
+            violation[{"msg": msg, "details": {}}] {
+                # spec.securityContext.fsGroup field is immutable.
+                not is_update(input.review)
+                has_field(input.parameters, "rule")
+                spec := input.review.object.spec
+                not input_fsGroup_allowed(spec)
+                msg := sprintf("The provided pod spec fsGroup is not allowed, pod: %v. Allowed fsGroup: %v", [input.review.object.metadata.name, input.parameters])
+            }
+
+            input_fsGroup_allowed(_) {
+                # RunAsAny - No range is required. Allows any fsGroup ID to be specified.
+                input.parameters.rule == "RunAsAny"
+            }
+            input_fsGroup_allowed(spec) {
+                # MustRunAs - Validates pod spec fsgroup against all ranges
+                input.parameters.rule == "MustRunAs"
+                fg := spec.securityContext.fsGroup
+                count(input.parameters.ranges) > 0
+                range := input.parameters.ranges[_]
+                value_within_range(range, fg)
+            }
+            input_fsGroup_allowed(spec) {
+                # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset
+                input.parameters.rule == "MayRunAs"
+                not has_field(spec, "securityContext")
+            }
+            input_fsGroup_allowed(spec) {
+                # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset
+                input.parameters.rule == "MayRunAs"
+                not spec.securityContext.fsGroup
+            }
+            input_fsGroup_allowed(spec) {
+                # MayRunAs - Validates pod spec fsgroup against all ranges or allow pod spec fsgroup to be left unset
+                input.parameters.rule == "MayRunAs"
+                fg := spec.securityContext.fsGroup
+                count(input.parameters.ranges) > 0
+                range := input.parameters.ranges[_]
+                value_within_range(range, fg)
+            }
+            value_within_range(range, value) {
+                range.min <= value
+                range.max >= value
+            }
+            # has_field returns whether an object has a field
+            has_field(object, field) = true {
+                object[field]
+            }
+          libs:
+            - |
+              package lib.exclude_update
+
+              is_update(review) {
+                  review.operation == "UPDATE"
+              }