diff --git a/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml b/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml index 2eb39b6c..27b1797e 100644 --- a/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml @@ -29,11 +29,9 @@ spec: value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" patchesJson6902: |- - op: add - path: /spec/template/spec/containers/{{elementIndex}}/securityContext + path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/drop value: - capabilities: - drop: - - ALL + - ALL - list: request.object.spec.template.spec.initContainers[] order: Descending preconditions: @@ -43,11 +41,9 @@ spec: value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" patchesJson6902: |- - op: add - path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext + path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/drop value: - capabilities: - drop: - - ALL + - ALL - list: request.object.spec.template.spec.ephemeralContainers[] order: Descending preconditions: @@ -57,8 +53,111 @@ spec: value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" patchesJson6902: |- - op: add - path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext + path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/drop + value: + - ALL + - name: restrict-adding-capabilities-other-than-net-bind-service + match: + resources: + kinds: + - Deployment + - StatefulSet + - Job + - DaemonSet + mutate: + foreach: + - list: request.object.spec.template.spec.containers[] + order: Descending + preconditions: + all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] + - key: NET_BIND_RAW + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: remove + path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add + + - list: request.object.spec.template.spec.containers[] + order: Descending + preconditions: + all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] + - key: NET_BIND_RAW + operator: In + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: remove + path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add + - op: add + path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add + value: + - NET_BIND_RAW + + - list: request.object.spec.template.spec.initContainers[] + order: Descending + preconditions: + all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] + - key: NET_BIND_RAW + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: remove + path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add + + - list: request.object.spec.template.spec.initContainers[] + order: Descending + preconditions: + all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] + - key: NET_BIND_RAW + operator: In + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: remove + path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add + - op: add + path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add + value: + - NET_BIND_RAW + + - list: request.object.spec.template.spec.ephemeralContainers[] + order: Descending + preconditions: + all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] + - key: NET_BIND_RAW + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: remove + path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add + + - list: request.object.spec.template.spec.ephemeralContainers[] + order: Descending + preconditions: + all: + - key: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + operator: NotEquals + value: [] + - key: NET_BIND_RAW + operator: In + value: "{{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}" + patchesJson6902: |- + - op: remove + path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add + - op: add + path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add value: - capabilities: - drop: - - ALL + - NET_BIND_RAW