generated from kubewarden/go-policy-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathvalidate.go
110 lines (93 loc) · 3.34 KB
/
validate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package main
import (
"fmt"
"strings"
mapset "github.com/deckarep/golang-set/v2"
onelog "github.com/francoispqt/onelog"
"github.com/kubewarden/gjson"
kubewarden "github.com/kubewarden/policy-sdk-go"
)
// CreateSafeSysctlsSet returns a set with the known safe sysctls.
//
// A sysctl is called safe iff:
// - it is namespaced in the container or the pod
// - it is isolated, i.e. has no influence on any other pod on the same node.
//
// A (possibly not up-to-date) list of known safe sysctls can be found at:
// https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
func CreateSafeSysctlsSet() (safeSysctls mapset.Set[string]) {
safeSysctls = mapset.NewThreadUnsafeSet[string]()
safeSysctls.Add("kernel.shm_rmid_forced")
safeSysctls.Add("net.ipv4.ip_local_port_range")
safeSysctls.Add("net.ipv4.tcp_syncookies")
safeSysctls.Add("net.ipv4.ping_group_range")
return safeSysctls
}
func validate(payload []byte) ([]byte, error) {
settings, err := NewSettingsFromValidationReq(payload)
if err != nil {
return kubewarden.RejectRequest(
kubewarden.Message(err.Error()),
kubewarden.Code(400))
}
logger.Info("validating request")
data := gjson.GetBytes(
payload,
"request.object.spec.securityContext.sysctls")
if !data.Exists() {
// Pod specifies no sysctls, accepting
return kubewarden.AcceptRequest()
}
logger.DebugWithFields("validating pod object", func(e onelog.Entry) {
name := gjson.GetBytes(payload, "request.object.metadata.name").String()
namespace := gjson.GetBytes(payload,
"request.object.metadata.namespace").String()
e.String("name", name)
e.String("namespace", namespace)
})
knownSafeSysctls := CreateSafeSysctlsSet()
// build set of prefixes from patterns of forbidden sysctls:
globForbiddenSysctls := mapset.NewThreadUnsafeSet[string]()
for _, elem := range settings.ForbiddenSysctls.ToSlice() {
if strings.HasSuffix(elem, "*") {
globForbiddenSysctls.Add(strings.TrimSuffix(elem, "*"))
}
}
data.ForEach(func(key, value gjson.Result) bool {
sysctl := gjson.Get(value.String(), "name").String()
if settings.ForbiddenSysctls.Contains(sysctl) {
err = fmt.Errorf("sysctl %s is on the forbidden list", sysctl)
return false // stop iterating
}
// if sysctl matches a pattern, it is forbidden:
for _, elem := range globForbiddenSysctls.ToSlice() {
if strings.HasPrefix(sysctl, elem) {
if !settings.AllowedUnsafeSysctls.Contains(sysctl) {
// sysctl is not whitelisted
err = fmt.Errorf("sysctl %s is on the forbidden list", sysctl)
return false // stop iterating
}
}
}
// if sysctl is not on the safe list nor an exception, it is forbidden:
if !knownSafeSysctls.Contains(sysctl) &&
!settings.AllowedUnsafeSysctls.Contains(sysctl) {
err = fmt.Errorf("sysctl %s is not on safe list, nor is in the allowedUnsafeSysctls list",
sysctl)
return false // stop iterating
}
return true // continue iterating
})
if err != nil {
logger.DebugWithFields("rejecting pod object", func(e onelog.Entry) {
name := gjson.GetBytes(payload, "request.object.metadata.name").String()
namespace := gjson.GetBytes(payload, "request.object.metadata.namespace").String()
e.String("name", name)
e.String("namespace", namespace)
})
return kubewarden.RejectRequest(
kubewarden.Message(err.Error()),
kubewarden.NoCode)
}
return kubewarden.AcceptRequest()
}