closes bug 1166

Signed-off-by: epasham <ekambaram_pasham@infosys.com>
kyverno · Sep 27, 2024 · 88b31a7 · 88b31a7
1 parent a06cbd9
commit 88b31a7
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 20 deletions.
diff --git a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Best Practices"
   kyverno/subject: "Pod"
-digest: 594b30a84f36a2b46b723a4110d843f6099d7e7c17c82b70a91942c7081bb901
+digest: 357011bf6ef0268a0ca1b248e0c7a59fc42e7f2017d02838c85711c329130676
diff --git a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
@@ -3,10 +3,9 @@ kind: ClusterPolicy
 metadata:
   name: drop-cap-net-raw
   annotations:
-    policies.kyverno.io/title: Drop CAP_NET_RAW in CEL expressions
-    policies.kyverno.io/category: Best Practices in CEL 
-    policies.kyverno.io/minversion: 1.11.0
-    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/title: Drop CAP_NET_RAW
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
@@ -26,19 +25,22 @@ spec:
         - resources:
             kinds:
               - Pod
-            operations:
-            - CREATE
-            - UPDATE
+      preconditions:
+        all:
+        - key: "{{ request.operation || 'BACKGROUND' }}"
+          operator: NotEquals
+          value: DELETE
       validate:
-        cel:
-          variables:
-            - name: mustDropCapabilities
-              expression: "['CAP_NET_RAW','NET_RAW']"
-            - name: allContainers
-              expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
-          expressions:
-            - expression: >-
-                variables.allContainers.all(container, 
-                container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() in variables.mustDropCapabilities))
-              message: >-
-                Containers must drop the `CAP_NET_RAW` capability.
+        message: >-
+          Containers must drop the `CAP_NET_RAW` capability.
+        foreach:
+          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
+            deny:
+              conditions:
+                all:
+                - key: CAP_NET_RAW
+                  operator: AnyNotIn
+                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
+                - key: NET_RAW
+                  operator: AnyNotIn
+                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"