Host networking constraint template does not respect exempt images
g-psantos opened this issue · 2 comments
The Host Networking Ports Constraint Template allows for a list of container images to be exempted from enforcement. However, the template fails to respect exempted images when checking whether the pod itself has hostNetwork: true.
This can be fixed by updating the template so that the first input_share_hostnetwork is false when all container images are found in the list of exempted images:
package k8spsphostnetworkingports
import data.lib.exempt_container.is_exempt
import future.keywords.every
violation[{"msg": msg, "details": {}}] {
input_share_hostnetwork(input.review.object)
msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters])
}
input_share_hostnetwork(o) {
not all_containers_exempt # Added this; there could well be a better way of achieving the same
not input.parameters.hostNetwork
o.spec.hostNetwork
}
input_share_hostnetwork(o) {
hostPort := input_containers[_].ports[_].hostPort
hostPort < input.parameters.min
}
input_share_hostnetwork(o) {
hostPort := input_containers[_].ports[_].hostPort
hostPort > input.parameters.max
}
all_containers_exempt {
every c in _input_containers { is_exempt(c) }
}
input_containers[c] {
c := _input_containers[_]
not is_exempt(c)
}
_input_containers[c] {
c := input.review.object.spec.containers[_]
}
_input_containers[c] {
c := input.review.object.spec.initContainers[_]
}
_input_containers[c] {
c := input.review.object.spec.ephemeralContainers[_]
}This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.