From 237e5a22d040ae32bcb554728033ba6a695085c7 Mon Sep 17 00:00:00 2001
From: Lavish pal <lvishpal408@gmail.com>
Date: Tue, 6 Aug 2024 15:00:17 +0530
Subject: [PATCH] Upgrade cel using variables

Signed-off-by: Lavish pal <lvishpal408@gmail.com>
---
 .../disallow-host-ports/artifacthub-pkg.yml   |  2 +-
 .../disallow-host-ports.yaml                  | 37 ++++++++-----------
 2 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml
index 619a073ff..59028778c 100644
--- a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml
+++ b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: b95cfe16e11be0b9507736687bd99b5ea78c455f8fc35194220326ea5ff3913c
+digest: acd23ec8b3bd13a00e143757b60d027eb084a566839c9cf4caafdb06144b88fb
 createdAt: "2023-12-03T00:22:34Z"
diff --git a/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml
index b7603ecfb..963eff8f2 100644
--- a/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml
@@ -28,26 +28,19 @@ spec:
             - UPDATE
       validate:
         cel:
-          expressions:
-            - expression: >- 
-                object.spec.containers.all(container, !has(container.ports) || 
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort
-                must either be unset or set to `0`.
+          variables:
+            - name: allContainers
+              expression: >-
+               object.spec.containers + 
+               object.spec.?initContainers.orValue([]) + 
+               object.spec.?ephemeralContainers.orValue([])
+      expressions:
+          - expression: >-
+               variables.allContainers.all(container, 
+               container.?ports.orValue([]).all(port, port.?hostPort.orValue(0) == 0))
+            message: |-
+               Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort,
+               spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
+               must either be unset or set to `0`.
 
-            - expression: >- 
-                !has(object.spec.initContainers) || 
-                object.spec.initContainers.all(container, !has(container.ports) || 
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.initContainers[*].ports[*].hostPort
-                must either be unset or set to `0`.
-
-            - expression: >- 
-                !has(object.spec.ephemeralContainers) ||
-                object.spec.ephemeralContainers.all(container, !has(container.ports) ||
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.ephemeralContainers[*].ports[*].hostPort
-                must either be unset or set to `0`.
+          
\ No newline at end of file