Skip to content

Commit

Permalink
Upgrade cel using variables
Browse files Browse the repository at this point in the history
Signed-off-by: Lavish pal <lvishpal408@gmail.com>
  • Loading branch information
lavishpal committed Aug 9, 2024
1 parent 412727e commit ab6d073
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 23 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ annotations:
kyverno/category: "Pod Security Standards (Baseline) in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Pod"
digest: b95cfe16e11be0b9507736687bd99b5ea78c455f8fc35194220326ea5ff3913c
digest: acd23ec8b3bd13a00e143757b60d027eb084a566839c9cf4caafdb06144b88fb
createdAt: "2023-12-03T00:22:34Z"
Original file line number Diff line number Diff line change
Expand Up @@ -28,26 +28,19 @@ spec:
- UPDATE
validate:
cel:
expressions:
- expression: >-
object.spec.containers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
message: >-
Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort
must either be unset or set to `0`.
variables:
- name: allContainers
expression: >-
object.spec.containers +
object.spec.?initContainers.orValue([]) +
object.spec.?ephemeralContainers.orValue([])
expressions:
- expression: >-
variables.allContainers.all(container,
container.?ports.orValue([]).all(port, port.?hostPort.orValue(0) == 0))
message: |-
Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort,
spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
must either be unset or set to `0`.
- expression: >-
!has(object.spec.initContainers) ||
object.spec.initContainers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
message: >-
Use of host ports is disallowed. The field spec.initContainers[*].ports[*].hostPort
must either be unset or set to `0`.
- expression: >-
!has(object.spec.ephemeralContainers) ||
object.spec.ephemeralContainers.all(container, !has(container.ports) ||
container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
message: >-
Use of host ports is disallowed. The field spec.ephemeralContainers[*].ports[*].hostPort
must either be unset or set to `0`.

0 comments on commit ab6d073

Please sign in to comment.