disallow-privilege-escalation policy is simplified

Signed-off-by: epasham <ekambaram_pasham@infosys.com>
kyverno · Aug 30, 2024 · 8762743 · 8762743
1 parent ee4741c
commit 8762743
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 26 deletions.
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
   kyverno/category: "Pod Security Standards (Restricted)"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 6c249b689ee08cc1edcbacf7a00a35cab98d5b1b2bf3fc7ebd8a0dd1e27bb2c1
-createdAt: "2023-12-04T09:04:49Z"
+digest: 3d361694af595b4070d5ad6ef8e65f893069209a29b7b23d026ea685393e96b5
+createdAt: "2024-08-30T09:04:49Z"
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml
@@ -28,30 +28,16 @@ spec:
             - UPDATE
       validate:
         cel:
+          variables:
+            - name: allContainers
+              expression: >-
+               object.spec.containers + 
+               object.spec.?initContainers.orValue([]) + 
+               object.spec.?ephemeralContainers.orValue([])
           expressions:
             - expression: >- 
-                object.spec.containers.all(container, has(container.securityContext) &&
-                has(container.securityContext.allowPrivilegeEscalation) &&
-                container.securityContext.allowPrivilegeEscalation == false)
+                variables.allContainers.all(container, 
+                container.?securityContext.?allowPrivilegeEscalation.orValue(false) == false)
               message: >-
-                Privilege escalation is disallowed. The field
-                spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`.
-
-            - expression: >- 
-                !has(object.spec.initContainers) ||
-                object.spec.initContainers.all(container, has(container.securityContext) &&
-                has(container.securityContext.allowPrivilegeEscalation) &&
-                container.securityContext.allowPrivilegeEscalation == false)
-              message: >-
-                Privilege escalation is disallowed. The field
-                spec.initContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`.
-
-            - expression: >- 
-                !has(object.spec.ephemeralContainers) ||
-                object.spec.ephemeralContainers.all(container, has(container.securityContext) &&
-                has(container.securityContext.allowPrivilegeEscalation) &&
-                container.securityContext.allowPrivilegeEscalation == false)
-              message: >-
-                Privilege escalation is disallowed. The field
-                spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`.
-                   
+                Privilege escalation is disallowed. 
+                All containers must set the securityContext.allowPrivilegeEscalation field to `false`.