From a4683e75f746c6c5e44e25e1d8069243c5a0996d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 21 Mar 2023 13:43:45 +0100 Subject: [PATCH 1/5] feat: Add `make artifacthub-pkg.yml` target MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- Makefile | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index e0fde6d..e8d19ff 100644 --- a/Makefile +++ b/Makefile @@ -1,11 +1,16 @@ SOURCE_FILES := $(shell test -e src/ && find src -type f) +VERSION := $(shell sed --posix -n 's,^version = \"\(.*\)\",\1,p' Cargo.toml) policy.wasm: $(SOURCE_FILES) Cargo.* cargo build --target=wasm32-wasi --release cp target/wasm32-wasi/release/*.wasm policy.wasm -annotated-policy.wasm: policy.wasm metadata.yml - kwctl annotate -m metadata.yml -o annotated-policy.wasm policy.wasm +artifacthub-pkg.yml: metadata.yml Cargo.toml + kwctl scaffold artifacthub --metadata-path metadata.yml --version $(VERSION) \ + --questions-path questions-ui.yml --output artifacthub-pkg.yml + +annotated-policy.wasm: policy.wasm metadata.yml artifacthub-pkg.yml + kwctl annotate -m metadata.yml -u README.md -o annotated-policy.wasm policy.wasm .PHONY: fmt fmt: @@ -26,4 +31,4 @@ test: fmt lint .PHONY: clean clean: cargo clean - rm -f policy.wasm annotated-policy.wasm + rm -f policy.wasm annotated-policy.wasm artifacthub-pkg.yml From ac594163e2aba28a8bc14b1404ed337a097d6326 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 21 Mar 2023 13:45:04 +0100 Subject: [PATCH 2/5] build: Bump version to 0.1.11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- Cargo.lock | 2 +- Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 360d41a..2cc7648 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -59,7 +59,7 @@ checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040" [[package]] name = "capabilities-psp" -version = "0.1.10" +version = "0.1.11" dependencies = [ "anyhow", "assert-json-diff", diff --git a/Cargo.toml b/Cargo.toml index 94e07d9..0a8fb32 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "capabilities-psp" -version = "0.1.10" +version = "0.1.11" authors = ["Flavio Castelli "] edition = "2018" From ad9a111973b88d9818ab387829e1a42d5eeae07f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 21 Mar 2023 13:45:13 +0100 Subject: [PATCH 3/5] chore: Refresh metadata.yml, recreate artifacthub-pkg.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- artifacthub-pkg.yml | 45 ++++++---- metadata.yml | 214 ++------------------------------------------ 2 files changed, 38 insertions(+), 221 deletions(-) diff --git a/artifacthub-pkg.yml b/artifacthub-pkg.yml index cb10a11..a8b951d 100644 --- a/artifacthub-pkg.yml +++ b/artifacthub-pkg.yml @@ -1,14 +1,19 @@ ---- -version: 0.1.10 +# Kubewarden Artifacthub Package config +# +# Use this config to submit the policy to https://artifacthub.io. +# +# This config can be saved to its default location with: +# kwctl scaffold artifacthub > artifacthub-pkg.yml +version: 0.1.11 name: capabilities-psp displayName: Capabilities PSP -createdAt: '2023-01-19T14:46:21+02:00' -description: A Pod Security Policy that controls Container Capabilities +createdAt: 2023-03-21T12:44:32.93498724Z +description: Replacement for the Kubernetes Pod Security Policy that controls the usage of capabilities license: Apache-2.0 homeURL: https://github.com/kubewarden/capabilities-psp-policy containersImages: - name: policy - image: ghcr.io/kubewarden/policies/capabilities-psp:v0.1.10 + image: ghcr.io/kubewarden/policies/capabilities-psp:v0.1.11 keywords: - psp - container @@ -16,23 +21,23 @@ keywords: - capabilities links: - name: policy - url: https://github.com/kubewarden/capabilities-psp-policy/releases/download/v0.1.10/policy.wasm + url: https://github.com/kubewarden/capabilities-psp-policy/releases/download/v0.1.11/policy.wasm - name: source url: https://github.com/kubewarden/capabilities-psp-policy +install: | + The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl): + ```console + kwctl pull ghcr.io/kubewarden/policies/capabilities-psp:v0.1.11 + ``` +maintainers: +- name: Kubewarden developers + email: cncf-kubewarden-maintainers@lists.cncf.io provider: name: kubewarden recommendations: - url: https://artifacthub.io/packages/helm/kubewarden/kubewarden-controller annotations: - kubewarden/resources: Pod - kubewarden/mutation: true - kubewarden/contextAware: false - kubewarden/rules: | - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: ["CREATE"] + kubewarden/mutation: 'true' kubewarden/questions-ui: | questions: - default: [""] @@ -61,3 +66,13 @@ annotations: required: false type: array[ variable: default_add_capabilities + kubewarden/resources: Pod + kubewarden/rules: | + - apiGroups: + - '' + apiVersions: + - v1 + resources: + - pods + operations: + - CREATE diff --git a/metadata.yml b/metadata.yml index 5d33dd5..7947e7b 100644 --- a/metadata.yml +++ b/metadata.yml @@ -6,213 +6,15 @@ rules: mutating: true contextAware: false annotations: - io.kubewarden.policy.title: psp-capabilities + # artifacthub specific + io.artifacthub.displayName: Capabilities PSP + io.artifacthub.resources: Pod + io.artifacthub.keywords: psp, container, capability, capabilities + io.kubewarden.policy.ociUrl: ghcr.io/kubewarden/policies/capabilities-psp + # rest + io.kubewarden.policy.title: capabilities-psp io.kubewarden.policy.description: Replacement for the Kubernetes Pod Security Policy that controls the usage of capabilities - io.kubewarden.policy.author: Flavio Castelli + io.kubewarden.policy.author: "Kubewarden developers " io.kubewarden.policy.url: https://github.com/kubewarden/capabilities-psp-policy io.kubewarden.policy.source: https://github.com/kubewarden/capabilities-psp-policy io.kubewarden.policy.license: Apache-2.0 - io.kubewarden.policy.usage: | - This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy - that controls the usage of Containers capabilities: - - * [Deprecated PSP](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities) - * [Kubernetes container capabilities feature](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container) - - # How the policy works - - The following fields take a list of capabilities, specified as the capability - name in `ALL_CAPS` without the `CAP_` prefix. - - * `allowed_capabilities`: provides a list of capabilities that are allowed to be - added to a container. The default set of capabilities are implicitly allowed. - The empty set means that no additional capabilities may be added beyond the - default set. `*` can be used to allow all capabilities. - * `required_drop_capabilities`: the capabilities which must be dropped from - containers. These capabilities are removed from the default set, and must not - be added. Capabilities listed in `required_drop_capabilities` must not be - included in `allowed_capabilities` or `default_add_capabilities`. - * `default_add_capabilities`: the capabilities which are added to containers by - default, in addition to the runtime defaults. See the documentation of your - Container Runtime for the default list of capabilities. - - The policy validates Pods at creation time and can also mutate them when either the - `required_drop_capabilities` or the `default_add_capabilities` values are specified. - - **Note well:** Kubernetes does not allow to change container capabilities after Pod creation - time, hence this policy is interested only in `CREATE` operatoins. - - # Configuration - - The policy can be configured with the following data structure: - - ```yml - allowed_capabilities: - - CHOWN - - required_drop_capabilities: - - NET_ADMIN - - default_add_capabilities: - - KILL - ``` - - # Examples - - ## Allow only Container Runtime's default capabilities - - Each Container Runtime (docker, containerD, CRI-O,...) has a default list of - allowed capabilities. - - Deploying the policy with an **empty** configuration ensures no capability can - be added to containers. - - For example, the following Pod would be rejected by the policy: - - ```yaml - apiVersion: v1 - kind: Pod - metadata: - name: hello - spec: - containers: - - name: hello - image: busybox - command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ] - securityContext: - capabilities: - add: - - NET_ADMIN - ``` - - ## Allow only approved capabilities to be added - - This configuration allows only approved capabilities to be - added to containers: - - ```yaml - allowed_capabilities: - - CHOWN - - KILL - ``` - - This configuration would allow these Pods: - - ```yaml - apiVersion: v1 - kind: Pod - metadata: - name: hello - spec: - containers: - - name: hello - image: busybox - command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ] - securityContext: - capabilities: - add: - - CHOWN - --- - apiVersion: v1 - kind: Pod - metadata: - name: hello2 - spec: - containers: - - name: hello - image: busybox - command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ] - ``` - - While these Pods would be rejected: - - ```yaml - apiVersion: v1 - kind: Pod - metadata: - name: rejected - spec: - containers: - - name: hello - image: busybox - command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ] - securityContext: - capabilities: - add: - - BPF - --- - apiVersion: v1 - kind: Pod - metadata: - name: init-violation - spec: - containers: - - name: hello - image: busybox - command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ] - initContainers: - - name: init1 - image: busybox - command: [ "sh", "-c", "echo 'Hello from initContainer" ] - securityContext: - capabilities: - add: - - MKNOD - ``` - - ## Mutate Pods - - The policy can mutate Pods at creation time. - - Let's take the following configuration: - - ```yml - allowed_capabilities: - - CHOWN,KILL - - required_drop_capabilities: - - NET_ADMIN - - default_add_capabilities: - - CHOWN - ``` - - And then try to create this Pod: - - ```yaml - apiVersion: v1 - kind: Pod - metadata: - name: hello - spec: - containers: - - name: hello - image: busybox - command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ] - securityContext: - capabilities: - add: - - KILL - ``` - - The policy would be changed the Pod specification, leading to the creation - of this Pod: - - ```yaml - apiVersion: v1 - kind: Pod - metadata: - name: hello - spec: - containers: - - name: hello - image: busybox - command: [ "sh", "-c", "echo 'Hello!' && sleep 1h" ] - securityContext: - capabilities: - add: - - KILL - - CHOWN - drop: - - NET_ADMIN - ``` From 75086a96011fad67dd313ea0614bb0223ee7aab6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Tue, 21 Mar 2023 13:45:45 +0100 Subject: [PATCH 4/5] ci: Consume github-actions@v2.0.5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- .github/workflows/release.yml | 8 ++--- .github/workflows/tests.yml | 62 ++--------------------------------- 2 files changed, 6 insertions(+), 64 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b57794d..e35ac56 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,18 +11,18 @@ jobs: test: name: run tests and linters - uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v1 + uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v2.0.5 release: needs: test permissions: - # Required to push to GHCR + # Required to create GH releases contents: write + # Required to push to GHCR packages: write # Required by cosign keyless signing id-token: write - uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v1 + uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v2.0.5 with: - input-wasm: capabilities_psp oci-target: ghcr.io/${{ github.repository_owner }}/policies/capabilities-psp diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1e2b81b..b4d9201 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,64 +1,6 @@ on: [push, pull_request] - name: Continuous integration - jobs: - check: - name: Check - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - uses: actions-rs/cargo@v1 - with: - command: check - test: - name: Test Suite - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - uses: actions-rs/cargo@v1 - with: - command: test - - fmt: - name: Rustfmt - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - run: rustup component add rustfmt - - uses: actions-rs/cargo@v1 - with: - command: fmt - args: --all -- --check - - clippy: - name: Clippy - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - run: rustup component add clippy - - uses: actions-rs/cargo@v1 - with: - command: clippy - args: -- -D warnings + name: run tests and linter + uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v2.0.5 From 2b7582bfc56b9c9180f4cc0879c0233fc4c8c481 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Fri, 24 Mar 2023 15:46:18 +0100 Subject: [PATCH 5/5] ci: Consume v3.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Víctor Cuadrado Juan --- .github/workflows/release.yml | 4 ++-- .github/workflows/tests.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e35ac56..a29def9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ jobs: test: name: run tests and linters - uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v2.0.5 + uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v3.1.0 release: needs: test @@ -23,6 +23,6 @@ jobs: # Required by cosign keyless signing id-token: write - uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v2.0.5 + uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v3.1.0 with: oci-target: ghcr.io/${{ github.repository_owner }}/policies/capabilities-psp diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b4d9201..1a340a2 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -3,4 +3,4 @@ name: Continuous integration jobs: test: name: run tests and linter - uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v2.0.5 + uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v3.1.0