apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8spodsecuritycontext annotations: description: Checks invalid Security Contexts. spec: crd: spec: names: kind: K8sPodSecurityContext validation: openAPIV3Schema: properties: ops: type: array items: type: string errMsg: type: string targets: - target: admission.k8s.gatekeeper.sh libs: - | package lib.k8s.helpers constraint_ops = value { value := input.parameters.ops } review_operation = value { value := input.review.operation } review_metadata_labels = value { value := input.review.object.metadata.labels } review_spec_template_metadata_labels = value { value := input.review.object.spec.template.metadata.labels } deployment_containers = value { value := input.review.object.spec.template.spec.containers } deployment_pod = value { value := input.review.object.spec.template.spec } review_id = value { value := sprintf("%v/%v/%v", [ review_kind, review_namespace, review_name ]) } review_name = value { value := input.review.object.metadata.name } else = value { value := "NOT_FOUND" } review_namespace = value { value := input.review.object.metadata.namespace } else = value { value := "NOT_FOUND" } review_kind = value { value := input.review.kind.kind } else = value { value := "NOT_FOUND" } rego: | package k8sdepsecuritycontext import data.lib.k8s.helpers as helpers violation[{"msg": msg, "details": {}}] { helpers.review_operation = helpers.constraint_ops[_] container = input_containers[_] not container.securityContext msg := sprintf("%v: Valid securityContext element not found. Resource ID (kind/ns/name): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = helpers.constraint_ops[_] container = input_containers[_] container.securityContext.privileged msg := sprintf("%v: securityContext is privileged. Resource ID (kind/ns/name): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = helpers.constraint_ops[_] container = input_containers[_] container.securityContext.allowPrivilegeEscalation msg := sprintf("%v: securityContext allows privilege escalation. Resource ID (kind/ns/name): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = helpers.constraint_ops[_] container = input_containers[_] not container.securityContext.runAsUser msg := sprintf("%v: securityContext does not contain runAsUser element. Resource ID (kind/ns/name): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = helpers.constraint_ops[_] container = input_containers[_] not container.securityContext.runAsUser > 0 msg := sprintf("%v: securityContext is set to run as UID 0. Resource ID (kind/ns/name): %v", [input.parameters.errMsg,helpers.review_id]) } violation[{"msg": msg, "details": {}}] { helpers.review_operation = helpers.constraint_ops[_] container = input_containers[_] not container.securityContext.readOnlyRootFilesystem msg := sprintf("%v: securityContext does not have a readonly root filesystem. Resource ID (kind/ns/name): %v", [input.parameters.errMsg,helpers.review_id]) } input_containers[c] { c := input.review.object.spec.containers[_] } input_containers[c] { c := input.review.object.spec.initContainers[_] }