open-policy-agent · fseldow · Feb 2, 2024
@@ -0,0 +1,22 @@
+version: 1.1.0
+name: k8spspapparmor
+displayName: App Armor
+createdAt: "2024-02-02T08:52:51Z"
+description: Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/
+digest: 84017a34d1072ded1670a1b397db614c63cdc43b373ccfc147cbf53abcaba12c
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/apparmor
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # App Armor
+    Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/apparmor/1.1.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,12 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPAppArmor
+metadata:
+  name: psp-apparmor
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    allowedProfiles:
+    - runtime/default
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-disallowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: localhost/disallowprofile
+  labels:
+    app: nginx-apparmor
+spec:
+  ephemeralContainers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-disallowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: localhost/disallowprofile
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: apparmor
+tests:
+  - name: apparmor
+    template: template.yaml
+    constraint: samples/psp-apparmor/constraint.yaml
+    cases:
+      - name: example-allowed
+        object: samples/psp-apparmor/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: example-allowed-unconfined
+        object: samples/psp-apparmor/example_allowed_unconfined.yaml
+        assertions:
+          - violations: no
+      - name: example-disallowed
+        object: samples/psp-apparmor/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: disallowed-ephemeral
+        object: samples/psp-apparmor/disallowed_ephemeral.yaml
+        assertions:
+          - violations: yes
@@ -0,0 +1,103 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8spspapparmor
+  annotations:
+    metadata.gatekeeper.sh/title: "App Armor"
+    metadata.gatekeeper.sh/version: 1.1.0
+    description: >-
+      Configures an allow-list of AppArmor profiles for use by containers.
+      This corresponds to specific annotations applied to a PodSecurityPolicy.
+      For information on AppArmor, see
+      https://kubernetes.io/docs/tutorials/clusters/apparmor/
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sPSPAppArmor
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          description: >-
+            Configures an allow-list of AppArmor profiles for use by containers.
+            This corresponds to specific annotations applied to a PodSecurityPolicy.
+            For information on AppArmor, see
+            https://kubernetes.io/docs/tutorials/clusters/apparmor/
+          properties:
+            exemptImages:
+              description: >-
+                Any container that uses an image that matches an entry in this list will be excluded
+                from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+
+                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+                in order to avoid unexpectedly exempting images from an untrusted repository.
+              type: array
+              items:
+                type: string
+            allowedProfiles:
+              description: "An array of AppArmor profiles. Examples: `runtime/default`, `unconfined`."
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8spspapparmor
+
+        import data.lib.exempt_container.is_exempt
+
+        violation[{"msg": msg, "details": {}}] {
+            metadata := input.review.object.metadata
+            container := input_containers[_]
+            not is_exempt(container)
+            not input_apparmor_allowed(container, metadata)
+            msg := sprintf("AppArmor profile is not allowed, pod: %v, container: %v. Allowed profiles: %v", [input.review.object.metadata.name, container.name, input.parameters.allowedProfiles])
+        }
+
+        input_apparmor_allowed(container, metadata) {
+            get_annotation_for(container, metadata) == input.parameters.allowedProfiles[_]
+        }
+
+        input_apparmor_allowed(container, metadata) {
+            get_annotation_for(container, metadata) == "unconfined"
+        }
+
+        input_containers[c] {
+            c := input.review.object.spec.containers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.initContainers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
+
+        get_annotation_for(container, metadata) = out {
+            out = metadata.annotations[sprintf("container.apparmor.security.beta.kubernetes.io/%v", [container.name])]
+        }
+        get_annotation_for(container, metadata) = out {
+            not metadata.annotations[sprintf("container.apparmor.security.beta.kubernetes.io/%v", [container.name])]
+            out = "runtime/default"
+        }
+      libs:
+        - |
+          package lib.exempt_container
+
+          is_exempt(container) {
+              exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+              img := container.image
+              exemption := exempt_images[_]
+              _matches_exemption(img, exemption)
+          }
+
+          _matches_exemption(img, exemption) {
+              not endswith(exemption, "*")
+              exemption == img
+          }
+
+          _matches_exemption(img, exemption) {
+              endswith(exemption, "*")
+              prefix := trim_suffix(exemption, "*")
+              startswith(img, prefix)
+          }
@@ -4,7 +4,7 @@ metadata:
   name: nginx-apparmor-disallowed
   annotations:
     # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
-    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+    container.apparmor.security.beta.kubernetes.io/nginx: localhost/disallowprofile
   labels:
     app: nginx-apparmor
 spec:

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -4,7 +4,7 @@ metadata:
   name: nginx-apparmor-disallowed
   annotations:
     # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
-    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+    container.apparmor.security.beta.kubernetes.io/nginx: localhost/disallowprofile
   labels:
     app: nginx-apparmor
 spec:

@@ -11,6 +11,10 @@ tests:
         object: samples/psp-apparmor/example_allowed.yaml
         assertions:
           - violations: no
+      - name: example-allowed-unconfined
+        object: samples/psp-apparmor/example_allowed_unconfined.yaml
+        assertions:
+          - violations: no
       - name: example-disallowed
         object: samples/psp-apparmor/example_disallowed.yaml
         assertions:

@@ -4,7 +4,7 @@ metadata:
   name: k8spspapparmor
   annotations:
     metadata.gatekeeper.sh/title: "App Armor"
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.1.0
     description: >-
       Configures an allow-list of AppArmor profiles for use by containers.
       This corresponds to specific annotations applied to a PodSecurityPolicy.
@@ -59,6 +59,10 @@ spec:
             get_annotation_for(container, metadata) == input.parameters.allowedProfiles[_]
         }
 
+        input_apparmor_allowed(container, metadata) {
+            get_annotation_for(container, metadata) == "unconfined"
+        }
+
         input_containers[c] {
             c := input.review.object.spec.containers[_]
         }

@@ -4,7 +4,7 @@ metadata:
   name: k8spspapparmor
   annotations:
     metadata.gatekeeper.sh/title: "App Armor"
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.1.0
     description: >-
       Configures an allow-list of AppArmor profiles for use by containers.
       This corresponds to specific annotations applied to a PodSecurityPolicy.

@@ -14,6 +14,10 @@ input_apparmor_allowed(container, metadata) {
     get_annotation_for(container, metadata) == input.parameters.allowedProfiles[_]
 }
 
+input_apparmor_allowed(container, metadata) {
+    get_annotation_for(container, metadata) == "unconfined"
+}
+
 input_containers[c] {
     c := input.review.object.spec.containers[_]
 }

@@ -60,9 +60,15 @@ test_input_apparmor_containers_not_allowed_not_in_list_mixed_no_annotation {
     count(results) == 2
 }
 
-test_input_apparmor_containers_not_allowed_not_in_list_mixed {
+test_input_apparmor_containers_in_list_mixed {
     inp := { "review": input_review_containers_mixed, "parameters": input_parameters_in_list}
     results := violation with input as inp
+    count(results) == 0
+}
+
+test_input_apparmor_containers_not_allowed_not_in_list_mixed {
+    inp := { "review": input_review_containers_mixed, "parameters": input_parameters_not_in_list}
+    results := violation with input as inp
     count(results) == 1
 }
 

@@ -16,7 +16,7 @@ metadata:
   name: k8spspapparmor
   annotations:
     metadata.gatekeeper.sh/title: "App Armor"
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.1.0
     description: >-
       Configures an allow-list of AppArmor profiles for use by containers.
       This corresponds to specific annotations applied to a PodSecurityPolicy.
@@ -71,6 +71,10 @@ spec:
             get_annotation_for(container, metadata) == input.parameters.allowedProfiles[_]
         }
 
+        input_apparmor_allowed(container, metadata) {
+            get_annotation_for(container, metadata) == "unconfined"
+        }
+
         input_containers[c] {
             c := input.review.object.spec.containers[_]
         }
@@ -173,6 +177,33 @@ Usage
 kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/apparmor/samples/psp-apparmor/example_allowed.yaml
 ```
 
+</details>
+<details>
+<summary>example-allowed-unconfined</summary>
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/apparmor/samples/psp-apparmor/example_allowed_unconfined.yaml
+```
+
 </details>
 <details>
 <summary>example-disallowed</summary>
@@ -184,7 +215,7 @@ metadata:
   name: nginx-apparmor-disallowed
   annotations:
     # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
-    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+    container.apparmor.security.beta.kubernetes.io/nginx: localhost/disallowprofile
   labels:
     app: nginx-apparmor
 spec:
@@ -211,7 +242,7 @@ metadata:
   name: nginx-apparmor-disallowed
   annotations:
     # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
-    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
+    container.apparmor.security.beta.kubernetes.io/nginx: localhost/disallowprofile
   labels:
     app: nginx-apparmor
 spec: