multi: iterate all container types

In this commit, we ensure policies apply to `ephemeralContainers`, `initContainers`, and `containers`. Signed-off-by: Mohamed Awnallah <[email protected]>
kyverno · Jul 15, 2024 · c18afd4 · c18afd4
1 parent a1b8992
commit c18afd4
Show file tree

Hide file tree

Showing 26 changed files with 84 additions and 29 deletions.
diff --git a/best-practices/require-probes/require-probes.yaml b/best-practices/require-probes/require-probes.yaml
@@ -36,7 +36,7 @@ spec:
     validate:
       message: "Liveness, readiness, or startup probes are required for all containers."
       foreach:
-      - list: request.object.spec.containers[]
+      - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
         deny:
           conditions:
             all:

diff --git a/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml b/karpenter/set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml
@@ -25,7 +25,7 @@ spec:
                 - Pod
       mutate:
         foreach:
-          - list: request.object.spec.containers
+          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
             patchStrategicMerge:
               spec:
                 containers:
@@ -43,7 +43,7 @@ spec:
                 - Pod
       mutate:
         foreach:
-          - list: request.object.spec.containers
+          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
             patchStrategicMerge:
               spec:
                 containers:

diff --git a/other/add-certificates-volume/add-certificates-volume.yaml b/other/add-certificates-volume/add-certificates-volume.yaml
@@ -36,7 +36,7 @@ spec:
           - UPDATE
     mutate:
       foreach:
-      - list: "request.object.spec.containers"
+      - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
         patchStrategicMerge:
           spec:
             containers:

diff --git a/other/add-image-as-env-var/add-image-as-env-var.yaml b/other/add-image-as-env-var/add-image-as-env-var.yaml
@@ -26,7 +26,7 @@ spec:
           - Pod
     mutate:
       foreach:
-      - list: request.object.spec.containers[]
+      - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
         patchesJson6902: |-
           - op: add
             path: /spec/containers/{{elementIndex}}/env/-

diff --git a/other/annotate-base-images/annotate-base-images.yaml b/other/annotate-base-images/annotate-base-images.yaml
@@ -33,7 +33,7 @@ spec:
         value: DELETE
     mutate:
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         context:
         - name: imageData
           imageRegistry: 

diff --git a/other/block-images-with-volumes/block-images-with-volumes.yaml b/other/block-images-with-volumes/block-images-with-volumes.yaml
@@ -32,7 +32,7 @@ spec:
     validate:
       message: "Images containing built-in volumes are prohibited."
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         context: 
         - name: imageData
           imageRegistry: 

diff --git a/other/block-large-images/block-large-images.yaml b/other/block-large-images/block-large-images.yaml
@@ -32,7 +32,7 @@ spec:
     validate:
       message: "images with size greater than 2Gi not allowed"  
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         context: 
         - name: imageSize
           imageRegistry: 

diff --git a/other/block-stale-images/block-stale-images.yaml b/other/block-stale-images/block-stale-images.yaml
@@ -26,7 +26,7 @@ spec:
       validate:
         message: "Images built more than 6 months ago are prohibited."
         foreach:
-        - list: "request.object.spec.containers"
+        - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
           context:
           - name: imageData
             imageRegistry:

diff --git a/other/check-nvidia-gpu/check-nvidia-gpu.yaml b/other/check-nvidia-gpu/check-nvidia-gpu.yaml
@@ -33,7 +33,7 @@ spec:
     validate:
       message: "Images which reserve NVIDIA GPUs must be built to use them."
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         context: 
         - name: imageData
           imageRegistry: 

diff --git a/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml b/other/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml
@@ -26,7 +26,7 @@ spec:
               - Pod
       preconditions:
         all:
-        - key: "{{ length(request.object.spec.containers[].livenessProbe.exec.command[] || `[]`) }}"
+        - key: "{{ length(request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[] || `[]`) }}"
           operator: GreaterThan
           value: 0
         - key: "{{ request.operation }}"
@@ -40,12 +40,12 @@ spec:
             - key:
               - true
               operator: AnyIn
-              value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}"
+              value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}"
             - key:
               - true
               operator: AnyIn
-              value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bps\\b',@) }}"
+              value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bps\\b',@) }}"
             - key:
               - true
               operator: AnyIn
-              value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bls\\b',@) }}"
+              value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bls\\b',@) }}"
diff --git a/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml b/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml
@@ -34,7 +34,7 @@ spec:
     validate:
       message: Limits may not exceed 2.5x the requests.
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         deny:
           conditions:
             any:

diff --git a/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml b/other/inject-env-var-from-image-label/inject-env-var-from-image-label.yaml
@@ -32,7 +32,7 @@ spec:
         value: DELETE
     mutate:
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         context: 
         - name: maintainer
           imageRegistry: 

diff --git a/other/limit-containers-per-pod/limit-containers-per-pod.yaml b/other/limit-containers-per-pod/limit-containers-per-pod.yaml
@@ -35,6 +35,6 @@ spec:
       deny:
         conditions:
           any:
-          - key: "{{request.object.spec.containers[] | length(@)}}"
+          - key: "{{request.object.spec.[ephemeralContainers, initContainers, containers][] | length(@)}}"
             operator: GreaterThan
             value: "4"
diff --git a/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml
@@ -27,6 +27,6 @@ spec:
       deny:
         conditions:
           any:
-          - key: "{{ request.object.spec.containers[?resources.requests.memory!=resources.limits.memory] | length(@) }}"
-            operator: NotEquals
+          - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][] | [?resources.requests.memory!=resources.limits.memory] | length(@) }}"
+            operator: GreaterThanOrEquals
             value: 0
diff --git a/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml b/other/only-trustworthy-registries-set-root/only-trustworthy-registries-set-root.yaml
@@ -32,7 +32,7 @@ spec:
     validate:
       message: "Images with root user are not allowed to be pulled from any registry other than ghcr.io."  
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         context: 
         - name: imageData
           imageRegistry: 

diff --git a/other/prepend-image-registry/prepend-image-registry.yaml b/other/prepend-image-registry/prepend-image-registry.yaml
@@ -64,3 +64,24 @@ spec:
             initContainers:
             - name: "{{ element.name }}"           
               image: registry.io/{{ images.initContainers."{{element.name}}".path}}:{{images.initContainers."{{element.name}}".tag}}
+  - name: prepend-registry-ephemeralContainers
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    preconditions:
+      all:
+      - key: "{{request.operation || 'BACKGROUND'}}"
+        operator: AnyIn
+        value:
+        - CREATE
+        - UPDATE
+    mutate:
+      foreach:
+      - list: "request.object.spec.ephemeralContainers"
+        patchStrategicMerge:
+          spec:
+            containers:
+            - name: "{{ element.name }}"
+              image: registry.io/{{ images.ephemeralContainers."{{element.name}}".path}}:{{images.ephemeralContainers."{{element.name}}".tag}}
diff --git a/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml b/other/remove-hostpath-volumes/remove-hostpath-volumes.yaml
@@ -46,7 +46,7 @@ spec:
             patchesJson6902: |-
               - path: /spec/volumes/{{elementIndex}}
                 op: remove
-          - list: request.object.spec.containers[]
+          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
             foreach:
             - list: " element.volumeMounts || `[]` "
               order: Descending

diff --git a/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml b/other/remove-serviceaccount-token/remove-serviceaccount-token.yaml
@@ -58,7 +58,7 @@ spec:
             patchesJson6902: |-
               - path: /spec/volumes/{{elementIndex}}
                 op: remove
-          - list: request.object.spec.containers[]
+          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
             foreach:
             - list: element.volumeMounts
               order: Descending

diff --git a/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml b/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml
@@ -61,3 +61,18 @@ spec:
                 containers:
                   - name: "{{ element.name }}"
                     image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}}
+          - list: request.object.spec.ephemeralContainers[]
+            context:
+              - name: imageData
+                imageRegistry:
+                  reference: "{{ element.image }}"
+            preconditions:
+              any:
+                - key: "{{imageData.registry}}"
+                  operator: Equals
+                  value: index.docker.io
+            patchStrategicMerge:
+              spec:
+                containers:
+                  - name: "{{ element.name }}"
+                    image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}}
diff --git a/other/replace-image-registry/replace-image-registry.yaml b/other/replace-image-registry/replace-image-registry.yaml
@@ -57,3 +57,22 @@ spec:
               initContainers:
               - name: "{{ element.name }}"
                 image: "{{ regex_replace_all('^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$', '{{element.image}}', 'myregistry.corp.com/$2' )}}"
+    - name: replace-image-registry-pod-ephemeralContainers
+      match:
+        any:
+        - resources:
+            kinds:
+            - Pod
+      preconditions:
+        all:
+        - key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
+          operator: GreaterThanOrEquals
+          value: 1
+      mutate:
+        foreach:
+        - list: "request.object.spec.ephemeralContainers"
+          patchStrategicMerge:
+            spec:
+              initContainers:
+              - name: "{{ element.name }}"
+                image: "{{ regex_replace_all('^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$', '{{element.image}}', 'myregistry.corp.com/$2' )}}"
diff --git a/other/require-base-image/require-base-image.yaml b/other/require-base-image/require-base-image.yaml
@@ -37,7 +37,7 @@ spec:
     validate:
       message: "Images must specify a source/base image from which they are built."
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         context: 
         - name: imageData
           imageRegistry: 

diff --git a/other/require-image-source/require-image-source.yaml b/other/require-image-source/require-image-source.yaml
@@ -34,7 +34,7 @@ spec:
     validate:
       message: "The image source must be specified in a label or annotation."
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         context: 
         - name: imageData
           imageRegistry: 

diff --git a/other/require-qos-burstable/require-qos-burstable.yaml b/other/require-qos-burstable/require-qos-burstable.yaml
@@ -32,7 +32,7 @@ spec:
           all:
           - key: requests
             operator: AnyNotIn
-            value: "{{ request.object.spec.containers[].resources.keys(@)[] }}"
+            value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].resources.keys(@)[] }}"
           - key: limits
             operator: AnyNotIn
-            value: "{{ request.object.spec.containers[].resources.keys(@)[] }}"
+            value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].resources.keys(@)[] }}"
diff --git a/other/require-qos-guaranteed/require-qos-guaranteed.yaml b/other/require-qos-guaranteed/require-qos-guaranteed.yaml
@@ -29,7 +29,7 @@ spec:
     validate:
       message: "All containers must define memory and CPU requests and limits where they are equal."
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         pattern:
           resources:
             requests:

diff --git a/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml b/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml
@@ -46,6 +46,6 @@ spec:
         conditions:
         # this checks uids for ALL containers in any pod of the workload
           all:
-          - key: "{{ request.object.spec.containers[].securityContext.to_string(runAsUser) }}"
+          - key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.to_string(runAsUser) }}"
             operator: AnyIn
             value: "{{ uidsAllPodsExceptSameOwnerAsRequestObject }}"
diff --git a/other/resolve-image-to-digest/resolve-image-to-digest.yaml b/other/resolve-image-to-digest/resolve-image-to-digest.yaml
@@ -30,7 +30,7 @@ spec:
         value: DELETE
     mutate:
       foreach:
-      - list: "request.object.spec.containers"
+      - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
         context:
           - name: resolvedRef
             imageRegistry: