From 8c72cba32d95d7baf6fd643eaa06197efb4a522a Mon Sep 17 00:00:00 2001
From: epasham <ekambaram_pasham@infosys.com>
Date: Wed, 23 Oct 2024 06:36:56 +0000
Subject: [PATCH] cel expression updated to support NET_RAW drop capability

Signed-off-by: epasham <ekambaram_pasham@infosys.com>
---
 .../.chainsaw-test/good-pod.yaml                | 17 ++++++++++++++++-
 .../artifacthub-pkg.yml                         |  4 ++--
 .../require-drop-cap-net-raw.yaml               |  5 +++--
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
index ee9c97a56..3133e2a27 100644
--- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
+++ b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml
@@ -23,4 +23,19 @@ spec:
       capabilities:
         drop:
           - CAP_NET_RAW
-
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: drop-netraw-good
+spec:
+  containers:
+    - args:
+        - sleep
+        - infinity
+      image: ghcr.io/kyverno/test-busybox:1.35
+      name: busybox
+      securityContext:
+         capabilities:
+           drop:
+             - NET_RAW
diff --git a/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml
index d726f54fe..f9f281d49 100644
--- a/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml
+++ b/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml
@@ -19,6 +19,6 @@ annotations:
   kyverno/category: "Best Practices in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 28cac97e2c441528f12158cc0c6d3c8c07067537831a88d5445a2128b42746b4
-createdAt: "2024-03-15T03:05:47Z"
+digest: 594b30a84f36a2b46b723a4110d843f6099d7e7c17c82b70a91942c7081bb901
+createdAt: "2024-10-23T03:05:47Z"
 
diff --git a/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
index f6d7440aa..80e3c955f 100644
--- a/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
+++ b/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
@@ -32,12 +32,13 @@ spec:
       validate:
         cel:
           variables:
+            - name: mustDropCapabilities
+              expression: "['CAP_NET_RAW','NET_RAW']"
             - name: allContainers
               expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
           expressions:
             - expression: >-
                 variables.allContainers.all(container, 
-                container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'CAP_NET_RAW'))
+                container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() in variables.mustDropCapabilities))
               message: >-
                 Containers must drop the `CAP_NET_RAW` capability.
-