diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml index 45be727bd..3133e2a27 100644 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml @@ -22,4 +22,20 @@ spec: securityContext: capabilities: drop: - - CAP_NET_RAW \ No newline at end of file + - CAP_NET_RAW +--- +apiVersion: v1 +kind: Pod +metadata: + name: drop-netraw-good +spec: + containers: + - args: + - sleep + - infinity + image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + securityContext: + capabilities: + drop: + - NET_RAW diff --git a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml index 3057417f0..469c8b22c 100644 --- a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml +++ b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 97e963f073e6324fa514015bc8fd8564b93fb7da6f8564fcf8a8fefc4c9da784 +digest: 594b30a84f36a2b46b723a4110d843f6099d7e7c17c82b70a91942c7081bb901 diff --git a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml index 68e92d525..80e3c955f 100644 --- a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml +++ b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml @@ -3,9 +3,10 @@ kind: ClusterPolicy metadata: name: drop-cap-net-raw annotations: - policies.kyverno.io/title: Drop CAP_NET_RAW - policies.kyverno.io/category: Best Practices - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/title: Drop CAP_NET_RAW in CEL expressions + policies.kyverno.io/category: Best Practices in CEL + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- @@ -25,19 +26,19 @@ spec: - resources: kinds: - Pod - preconditions: - all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: NotEquals - value: DELETE + operations: + - CREATE + - UPDATE validate: - message: >- - Containers must drop the `CAP_NET_RAW` capability. - foreach: - - list: request.object.spec.[ephemeralContainers, initContainers, containers][] - deny: - conditions: - all: - - key: CAP_NET_RAW - operator: AnyNotIn - value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" \ No newline at end of file + cel: + variables: + - name: mustDropCapabilities + expression: "['CAP_NET_RAW','NET_RAW']" + - name: allContainers + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" + expressions: + - expression: >- + variables.allContainers.all(container, + container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() in variables.mustDropCapabilities)) + message: >- + Containers must drop the `CAP_NET_RAW` capability.