Revert autogenerated changes for pod-security-policy/forbidden-sysctl…

…s 1.0.0 Signed-off-by: Hidehito Yabuuchi <hdht.ybuc@gmail.com>
open-policy-agent · Nov 9, 2022 · 4fc2715 · 4fc2715
1 parent 033c03f
commit 4fc2715
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 70 deletions.
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.0.0/README.md b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.0.0/README.md
@@ -1,36 +1,5 @@
 # Forbidden Sysctls security context policy
 
-The forbidden sysctls constraint allows one to limit the set of kernel parameters that can be modified by pods. This is accomplished by specifying a combination of allowed and forbidden sysctls using either of two parameters: `allowedSysctls` and `forbiddenSysctls`.
+Forbidden sysctls excludes specific sysctls. You can forbid a combination of safe and unsafe sysctls in the list. To forbid setting any sysctls, use `*` on its own. If a sysctl pattern ends with a `*` character, such as `kernel.*`, it'll match `*` with rest of the sysctl.
 
-## Parameters
-
-`allowedSysctls`: A list of explicitly allowed sysctls. Any sysctl not in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter.
-
-`forbiddenSysctls`: A list of explicitly denied sysctls. Any sysctl in this list will be considered forbidden. '*' and trailing wildcards are supported. If unspecified, no limitations are made by this parameter.
-
-## Examples
-
-```yaml
-parameters:
-  allowedSysctls: ['*']
-  forbiddenSysctls:
-    - kernel.msg*
-    - net.core.somaxconn
-```
-
-```yaml
-parameters:
-  allowedSysctls:
-    - kernel.shm_rmid_forced
-    - net.ipv4.ip_local_port_range
-    - net.ipv4.tcp_syncookies
-    - net.ipv4.ping_group_range
-  forbiddenSysctls: []
-```
-
-*Note*: `forbiddenSysctls` takes precedence, such that an explicitly forbidden sysctl is still forbidden even if it appears in `allowedSysctls` as well. However in practice, such overlap between the rules should be avoided.
-
-## References
-
-* [Using sysctls in a Kubernetes Cluster](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
-* [Kubernetes API Reference - Sysctl](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#sysctl-v1-core)
+By default, all safe sysctls are allowed. If you wish to use unsafe sysctls, make sure to whitelist `--allowed-unsafe-sysctls` kubelet flag on each node. For example, `--allowed-unsafe-sysctls='kernel.msg*,kernel.shm.*,net.*'`.
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.0.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.0.0/artifacthub-pkg.yml
@@ -3,7 +3,7 @@ name: k8spspforbiddensysctls
 displayName: Forbidden Sysctls
 createdAt: "2022-09-26T17:28:27Z"
 description: Controls the `sysctl` profile used by containers. Corresponds to the `forbiddenSysctls` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
-digest: 16d9f9f709b72c7e047477f5a4bda2e10bbcf70a8ed91eb4c4b73e2c72449eee
+digest: 9b9dd72e566453d8e1b5961848c5f354b19581c3f5264077885fdc08248cb632
 license: Apache-2.0
 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls
 keywords:

diff --git a/...pod-security-policy/forbidden-sysctls/1.0.0/samples/psp-forbidden-sysctls/constraint.yaml b/...pod-security-policy/forbidden-sysctls/1.0.0/samples/psp-forbidden-sysctls/constraint.yaml
@@ -11,5 +11,3 @@ spec:
     forbiddenSysctls:
     # - "*" # * may be used to forbid all sysctls
     - kernel.*
-    allowedSysctls:
-    - "*" # allows all sysctls. allowedSysctls is optional.
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.0.0/template.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.0.0/template.yaml
@@ -7,10 +7,8 @@ metadata:
     metadata.gatekeeper.sh/version: 1.0.0
     description: >-
       Controls the `sysctl` profile used by containers. Corresponds to the
-      `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy.
-      Any sysctl not in the `allowedSysctls` parameter is considered to be forbidden.
-      The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter.
-      For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+      `forbiddenSysctls` field in a PodSecurityPolicy. For more information,
+      see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
 spec:
   crd:
     spec:
@@ -22,16 +20,9 @@ spec:
           type: object
           description: >-
             Controls the `sysctl` profile used by containers. Corresponds to the
-            `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy.
-            Any sysctl not in the `allowedSysctls` parameter is considered to be forbidden.
-            The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter.
-            For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+            `forbiddenSysctls` field in a PodSecurityPolicy. For more information,
+            see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
           properties:
-            allowedSysctls:
-              type: array
-              description: "An allow-list of sysctls. `*` allows all sysctls not listed in the `forbiddenSysctls` parameter."
-              items:
-                type: string
             forbiddenSysctls:
               type: array
               description: "A disallow-list of sysctls. `*` forbids all sysctls."
@@ -42,20 +33,12 @@ spec:
       rego: |
         package k8spspforbiddensysctls
 
-        # Block if forbidden
         violation[{"msg": msg, "details": {}}] {
             sysctl := input.review.object.spec.securityContext.sysctls[_].name
             forbidden_sysctl(sysctl)
             msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls])
         }
 
-        # Block if not explicitly allowed
-        violation[{"msg": msg, "details": {}}] {
-            sysctl := input.review.object.spec.securityContext.sysctls[_].name
-            not allowed_sysctl(sysctl)
-            msg := sprintf("The sysctl %v is not explictly allowed, pod: %v. Allowed sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.allowedSysctls])
-        }
-
         # * may be used to forbid all sysctls
         forbidden_sysctl(sysctl) {
             input.parameters.forbiddenSysctls[_] == "*"
@@ -68,16 +51,3 @@ spec:
         forbidden_sysctl(sysctl) {
             startswith(sysctl, trim(input.parameters.forbiddenSysctls[_], "*"))
         }
-
-        # * may be used to allow all sysctls
-        allowed_sysctl(sysctl) {
-            input.parameters.allowedSysctls[_] == "*"
-        }
-
-        allowed_sysctl(sysctl) {
-            input.parameters.allowedSysctls[_] == sysctl
-        }
-
-        allowed_sysctl(sysctl) {
-            startswith(sysctl, trim(input.parameters.allowedSysctls[_], "*"))
-        }