Simplified CEL Expressions for Pod Security (CEL) Baseline policies

best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml

@@ -19,3 +19,8 @@ spec:
         name: busybox
       - image: docker.io/tiller:latest
         name: helm-tiller
+      initContainers:
+      - image: busybox
+        name: busyboxinit
+      - image: docker.io/tiller:latest
+        name: helm-tillerinit

best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml

@@ -8,3 +8,8 @@ spec:
     image: docker.io/tiller:latest
   - name: somebox
     image: busybox:1.35
+  initContainers:
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
+  - name: someboxinit
+    image: busybox:1.35

best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml

@@ -7,4 +7,9 @@ spec:
   - name: somebox
     image: busybox:1.35
   - name: helm-tiller
-    image: docker.io/tiller:latest
+    image: docker.io/tiller:latest
+  initContainers:
+  - name: someboxinit
+    image: busybox:1.35
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest

best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml

@@ -5,4 +5,7 @@ metadata:
 spec:
   containers:
   - name: helm-tiller
-    image: docker.io/tiller:latest
+    image: docker.io/tiller:latest
+  initContainers:
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest

best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml

@@ -17,4 +17,8 @@ spec:
       containers:
       - image: busybox:v1.35
         name: busybox
-        command: ["sleep", "3600"]
+        command: ["sleep", "3600"]
+      initContainers:
+      - image: busybox:v1.35
+        name: busyboxinit
+        command: ["sleep", "3600"]

best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml

@@ -7,4 +7,9 @@ spec:
   - name: busybox
     image: busybox:v1.35
   - name: nothelmbox
-    image: busybox:v1.35
+    image: busybox:v1.35
+  initContainers:
+  - name: busyboxinit
+    image: busybox:v1.35
+  - name: nothelmboxinit
+    image: busybox:v1.35

best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml

@@ -6,6 +6,10 @@ spec:
   containers:
   - name: helm-tiller
     image: docker.io/tiller:latest
+  initContainers:
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
+
 ---
 apiVersion: v1
 kind: Pod
@@ -17,6 +21,11 @@ spec:
     image: busybox:1.28
   - name: helm-tiller
     image: docker.io/tiller:latest
+  initContainers:
+  - name: busyboxinit
+    image: busybox:1.28
+  - name: helm-tillerinit
+    image: docker.io/tiller:latest
 ---
 apiVersion: v1
 kind: Pod
@@ -26,6 +35,9 @@ spec:
   containers:
   - name: busybox
     image: busybox
+  initContainers:
+  - name: busyboxinit
+    image: busybox
 ---
 apiVersion: v1
 kind: Pod
@@ -37,6 +49,11 @@ spec:
     image: busybox
   - name: nginx
     image: nginx
+  initContainers:
+  - name: busyboxinit
+    image: busybox
+  - name: nginxinit
+    image: nginx
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -59,6 +76,10 @@ spec:
       - image: busybox:1.28
         name: busybox
         command: ["sleep", "9999"]
+      initContainers:
+      - image: busybox:1.28
+        name: busyboxinit
+        command: ["sleep", "9999"]
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -80,3 +101,6 @@ spec:
       containers:
       - image: docker.io/tiller:latest
         name: helm-tiller
+      initContainers:
+      - image: docker.io/tiller:latest
+        name: helm-tillerinit

best-practices/disallow-helm-tiller/artifacthub-pkg.yml

@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Sample"
   kyverno/subject: "Pod"
-digest: 6de64a4a8d611c250dc0190b28b6c757db531063161531e4f68202c0fbda5be4
+digest: 3d92f3a2949283ad6d9baa99565e407c5cd78d015e0220750de522ac40ce1de2

best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml

@@ -11,7 +11,7 @@ metadata:
     policies.kyverno.io/description: >-
       Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared
       resource accessible to any authenticated user. Tiller can lead to privilege escalation as
-      restricted users can impact other users. It is recommend to use Helm v3+ which does not contain
+      restricted users can impact other users. It is recommended to use Helm v3+ which does not contain
       Tiller for these reasons. This policy validates that there is not an image
       containing the name `tiller`.
 spec:
@@ -26,8 +26,13 @@ spec:
               - Pod
       validate:
         message: "Helm Tiller is not allowed"
-        pattern:
-          spec:
-            containers:
-              - name: "*"
-                image: "!*tiller*"
+        foreach:
+        - list: "request.object.spec.containers"
+          pattern:
+            image: "!*tiller*"
+        - list: "request.object.spec.initContainers"
+          pattern:
+            image: "!*tiller*"
+        - list: "request.object.spec.ephemeralContainers"
+          pattern:
+            image: "!*tiller*"

best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml

@@ -7,4 +7,9 @@ spec:
   - name: busybox
     image: busybox:latest
   - name: nginx
-    image: nginx:1.35
+    image: nginx:1.35
+  initContainers:
+  - name: busyboxinit
+    image: busybox:latest
+  - name: nginxinit
+    image: nginx:1.35

best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml

@@ -7,4 +7,9 @@ spec:
   - name: nginx
     image: nginx:1.35
   - name: busybox
-    image: busybox:latest
+    image: busybox:latest
+  initContainers:
+  - name: nginxinit
+    image: nginx:1.35
+  - name: busyboxinit
+    image: busybox:latest

best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml

@@ -8,6 +8,11 @@ spec:
     image: busybox
   - name: nginx
     image: nginx:1.35
+  initContainers:
+  - name: busyboxinit
+    image: busybox
+  - name: nginxinit
+    image: nginx:1.35
 ---
 apiVersion: v1
 kind: Pod
@@ -19,6 +24,11 @@ spec:
     image: nginx:1.35
   - name: busybox
     image: busybox
+  initContainers:
+  - name: nginxinit
+    image: nginx:1.35
+  - name: busyboxinit
+    image: busybox
 ---
 apiVersion: v1
 kind: Pod
@@ -29,4 +39,9 @@ spec:
   - name: busybox
     image: busybox
   - name: nginx
-    image: nginx:latest
+    image: nginx:latest
+  initContainers:
+  - name: busyboxinit
+    image: busybox
+  - name: nginxinit
+    image: nginx:latest

best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml

@@ -5,4 +5,7 @@ metadata:
 spec:
   containers:
   - name: busybox
-    image: busybox:v1.35
+    image: busybox:v1.35
+  initContainers:
+  - name: busyboxinit
+    image: busybox:v1.35

best-practices/disallow-latest-tag/.kyverno-test/resource.yaml

@@ -8,6 +8,9 @@ spec:
   containers:
   - name: nginx
     image: nginx:1.12
+  initContainers:
+  - name: nginxinit
+    image: nginx:1.12
 ---
 apiVersion: v1
 kind: Pod
@@ -19,6 +22,9 @@ spec:
   containers:
   - name: nginx
     image: nginx
+  initContainers:
+  - name: nginxinit
+    image: nginx
 ---
 apiVersion: v1
 kind: Pod
@@ -32,6 +38,11 @@ spec:
     image: busybox:1.28
   - name: nginx
     image: nginx
+  initContainers:
+  - name: busyboxinit
+    image: busybox:1.28
+  - name: nginxinit
+    image: nginx
 ---
 apiVersion: v1
 kind: Pod
@@ -43,6 +54,9 @@ spec:
   containers:
   - name: nginx
     image: nginx:latest
+  initContainers:
+  - name: nginxinit
+    image: nginx:latest
 ---
 apiVersion: v1
 kind: Pod
@@ -56,6 +70,11 @@ spec:
     image: busybox:1.28
   - name: nginx
     image: nginx:latest
+  initContainers:
+  - name: busyboxinit
+    image: busybox:1.28
+  - name: nginxinit
+    image: nginx:latest
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -77,6 +96,10 @@ spec:
       - image: busybox:1.28
         name: busybox
         command: ["sleep", "9999"]
+      initContainers:
+      - image: busybox:1.28
+        name: busyboxinit
+        command: ["sleep", "9999"]
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -98,6 +121,10 @@ spec:
       - image: busybox
         name: busybox
         command: ["sleep", "9999"]
+      initContainers:
+      - image: busybox
+        name: busyboxinit
+        command: ["sleep", "9999"]
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -119,3 +146,7 @@ spec:
       - image: busybox:latest
         name: busybox
         command: ["sleep", "9999"]
+      initContainers:
+      - image: busybox:latest
+        name: busyboxinit
+        command: ["sleep", "9999"]

best-practices/disallow-latest-tag/artifacthub-pkg.yml

@@ -1,6 +1,6 @@
 name: disallow-latest-tag
 version: 1.0.0
-displayName: Disallow Latest Tag
+displayName: Disallow Latest Tags
 createdAt: "2023-04-10T19:47:15.000Z"
 description: >-
   The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`.
@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Best Practices"
   kyverno/subject: "Pod"
-digest: 3d19e0d8f2637eca9ad1d700f4fbf556aaa31221ff6c40698b9aadda1f41adb4
+digest: 2760272e57d9988ba447f62d23bba382092d00a5e14dbf00555e4170ea90593a

best-practices/disallow-latest-tag/disallow-latest-tag.yaml

@@ -25,10 +25,16 @@ spec:
           - Pod
     validate:
       message: "An image tag is required."
-      pattern:
-        spec:
-          containers:
-          - image: "*:*"
+      foreach:
+        - list: "request.object.spec.containers"
+          pattern:
+            image: "*:*"
+        - list: "request.object.spec.initContainers"
+          pattern:
+            image: "*:*"
+        - list: "request.object.spec.ephemeralContainers"
+          pattern:
+            image: "*:*"
   - name: validate-image-tag
     match:
       any:
@@ -37,7 +43,13 @@ spec:
           - Pod
     validate:
       message: "Using a mutable image tag e.g. 'latest' is not allowed."
-      pattern:
-        spec:
-          containers:
-          - image: "!*:latest"
+      foreach:
+        - list: "request.object.spec.containers"
+          pattern:
+            image: "!*:latest"
+        - list: "request.object.spec.initContainers"
+          pattern:
+            image: "!*:latest"
+        - list: "request.object.spec.ephemeralContainers"
+          pattern:
+            image: "!*:latest"

other/check-vpa-configuration/.chainsaw-test/chainsaw-test.yaml

@@ -6,6 +6,8 @@ spec:
   steps:
   - name: 01 - Create policy and Enforce
     try:
+    - apply:
+        file: permissions.yaml
     - apply:
         file: ../check-vpa-configuration.yaml
     - patch:

other/check-vpa-configuration/.chainsaw-test/permissions.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:vpa
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+    rbac.kyverno.io/aggregate-to-reports-controller: "true"
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - autoscaling.k8s.io
+  resources:
+  - verticalpodautoscalers
+  verbs:
+  - get
+  - list
+  - watch