Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplified CEL Expressions for Pod Security (CEL) Baseline policies #1127

Closed
wants to merge 10 commits into from
Closed

Simplified CEL Expressions for Pod Security (CEL) Baseline policies #1127

wants to merge 10 commits into from

Conversation

epasham
Copy link
Contributor

@epasham epasham commented Aug 13, 2024
edited by chipzoller
Loading

Related Issue(s)

Closes #1096
Closes #1097
Closes #1090

Description

There are redundant expressions in CEL expression to validate the containers, init containers and ephemeral containers in a pod definition.

What does this PR do?
Updated CEL expression using variable and optionals. Removed the redundant expressions
The validation expression is now simplified

Checklist

  • [] I have read the policy contribution guidelines.
  • [] I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • [] I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

@epasham
updated disallow-privileged-containers policy
9ffae8c 
Signed-off-by: epasham <ekambaram.pasham@gmail.com>
@epasham
updated digest in artifacthub pkg file
c02c20e 
Signed-off-by: epasham <ekambaram.pasham@gmail.com>
@realshuting
Copy link
Member

@epasham - thanks for the contribution! Please use keywords "close", "resolve" to close issues automatically once the PR is merged, i.e., closes #1096.

@chipzoller chipzoller changed the title CEL expression is simplified for disallow-privileged-containers Policy Simplified CEL Expressions for Pod Security (CEL) Baseline policies Aug 15, 2024
chipzoller
chipzoller reviewed Aug 15, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@epasham, in the future, please use closing keywords to link your PR to issues it closes, and please complete the full PR template including check boxes.

chipzoller
chipzoller previously approved these changes Aug 15, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but will defer final review to @MariamFahmy98.

@epasham epasham mentioned this pull request Aug 20, 2024
Closed
JimBugwadia and others added 7 commits August 21, 2024 08:24
@JimBugwadia @ekambaram
update permissions
4a8db6a 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@epasham @ekambaram
CEL expression is simplified in disallow-proc-mount.yaml
38f8897 
Signed-off-by: epasham <ekambaram.pasham@gmail.com>
@epasham @ekambaram
Updated digest value
94be58f 
Signed-off-by: epasham <ekambaram.pasham@gmail.com>
@epasham @ekambaram
simplified CEL expression in disallow-capabilities
520960a 
Signed-off-by: epasham <ekambaram.pasham@gmail.com>
@epasham @chipzoller @ekambaram
Update pod-security-cel/baseline/disallow-privileged-containers/disal…
0de152b 
…low-privileged-containers.yaml

Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Ekambaram Pasham <ekambaram.pasham@gmail.com>
@epasham @ekambaram
updated disallow-privileged-containers digest
a0cfdf0 
Signed-off-by: epasham <ekambaram.pasham@gmail.com>
@ekambaram
Update disallow-helm-tiller and disallow-latest-tag to include all co…
7de3cd9 
…ntainer types in a pod (#1111)

* Update disallow-helm-tiller.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update artifacthub-pkg.yml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update disallow-latest-tag.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update artifacthub-pkg.yml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod-latest-fail-first.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod-latest-success-first.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod-no-tag.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update good-pod.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-deploy.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod-fail-first.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod-success-first.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update good-deploy.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update good-pod.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update disallow-latest-tag.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update disallow-helm-tiller.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update artifacthub-pkg.yml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update artifacthub-pkg.yml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update artifacthub-pkg.yml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update artifacthub-pkg.yml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update artifacthub-pkg.yml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update artifacthub-pkg.yml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update good-pod.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-deploy.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod-fail-first.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod-success-first.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update good-deploy.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update resource.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod-latest-fail-first.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod-latest-success-first.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update bad-pod-no-tag.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update good-pod.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

* Update resource.yaml

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>

---------

Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@ekambaram
Revert "Update disallow-helm-tiller and disallow-latest-tag to includ…
502bdea 
…e all container types in a pod (#1111)"

This reverts commit 7de3cd9.
@epasham
Copy link
Contributor Author

epasham commented Aug 21, 2024

am closing this pull request. I need to sign the commits using my infosys email id.
will create new pull request. Thank you

@epasham epasham closed this Aug 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chipzoller chipzoller chipzoller left review comments

@MariamFahmy98 MariamFahmy98 Awaiting requested review from MariamFahmy98

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@epasham @realshuting @chipzoller @JimBugwadia @ekambaram