fix for issue 1166

Signed-off-by: epasham <[email protected]>
kyverno · Sep 26, 2024 · a06cbd9 · a06cbd9
1 parent 55e4425
commit a06cbd9
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 20 deletions.
diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
@@ -22,4 +22,20 @@ spec:
     securityContext:
       capabilities:
         drop:
-          - CAP_NET_RAW
+          - CAP_NET_RAW
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: drop-netraw-good
+spec:
+  containers:
+    - args:
+        - sleep
+        - infinity
+      image: ghcr.io/kyverno/test-busybox:1.35
+      name: busybox
+      securityContext:
+         capabilities:
+           drop:
+             - NET_RAW
diff --git a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Best Practices"
   kyverno/subject: "Pod"
-digest: 97e963f073e6324fa514015bc8fd8564b93fb7da6f8564fcf8a8fefc4c9da784
+digest: 594b30a84f36a2b46b723a4110d843f6099d7e7c17c82b70a91942c7081bb901
diff --git a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
@@ -3,9 +3,10 @@ kind: ClusterPolicy
 metadata:
   name: drop-cap-net-raw
   annotations:
-    policies.kyverno.io/title: Drop CAP_NET_RAW
-    policies.kyverno.io/category: Best Practices
-    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/title: Drop CAP_NET_RAW in CEL expressions
+    policies.kyverno.io/category: Best Practices in CEL 
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
@@ -25,19 +26,19 @@ spec:
         - resources:
             kinds:
               - Pod
-      preconditions:
-        all:
-        - key: "{{ request.operation || 'BACKGROUND' }}"
-          operator: NotEquals
-          value: DELETE
+            operations:
+            - CREATE
+            - UPDATE
       validate:
-        message: >-
-          Containers must drop the `CAP_NET_RAW` capability.
-        foreach:
-          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
-            deny:
-              conditions:
-                all:
-                - key: CAP_NET_RAW
-                  operator: AnyNotIn
-                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
+        cel:
+          variables:
+            - name: mustDropCapabilities
+              expression: "['CAP_NET_RAW','NET_RAW']"
+            - name: allContainers
+              expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
+          expressions:
+            - expression: >-
+                variables.allContainers.all(container, 
+                container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() in variables.mustDropCapabilities))
+              message: >-
+                Containers must drop the `CAP_NET_RAW` capability.