-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathccbr.sql
More file actions
150 lines (136 loc) · 46.3 KB
/
ccbr.sql
File metadata and controls
150 lines (136 loc) · 46.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
-- --------------------------------------------------------
-- 主机: 127.0.0.1
-- 服务器版本: 5.7.38 - MySQL Community Server (GPL)
-- 服务器操作系统: Linux
-- HeidiSQL 版本: 9.4.0.5125
-- --------------------------------------------------------
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET NAMES utf8 */;
/*!50503 SET NAMES utf8mb4 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
-- 导出 policymanager 的数据库结构
DROP DATABASE IF EXISTS `policymanager`;
CREATE DATABASE IF NOT EXISTS `policymanager` /*!40100 DEFAULT CHARACTER SET utf8 */;
USE `policymanager`;
-- 导出 表 policymanager.cluster_manager 结构
DROP TABLE IF EXISTS `cluster_manager`;
CREATE TABLE IF NOT EXISTS `cluster_manager` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`name` varchar(50) DEFAULT NULL,
`describtion` varchar(50) DEFAULT NULL,
`createtime` varchar(50) DEFAULT NULL,
`updatetime` varchar(50) DEFAULT NULL,
`file` mediumtext,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8;
-- 正在导出表 policymanager.cluster_manager 的数据:~1 rows (大约)
DELETE FROM `cluster_manager`;
/*!40000 ALTER TABLE `cluster_manager` DISABLE KEYS */;
/*!40000 ALTER TABLE `cluster_manager` ENABLE KEYS */;
-- 导出 表 policymanager.opa_gatekeeper_constraint 结构
DROP TABLE IF EXISTS `opa_gatekeeper_constraint`;
CREATE TABLE IF NOT EXISTS `opa_gatekeeper_constraint` (
`id` bigint(50) NOT NULL AUTO_INCREMENT,
`name` varchar(50) DEFAULT NULL,
`ctname` varchar(50) DEFAULT NULL,
`type` varchar(50) DEFAULT NULL,
`packagetype` varchar(50) DEFAULT NULL,
`createtime` varchar(50) DEFAULT NULL,
`updatetime` varchar(50) DEFAULT NULL,
`file` mediumtext,
`describtion` varchar(100) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=20 DEFAULT CHARSET=utf8;
-- 正在导出表 policymanager.opa_gatekeeper_constraint 的数据:~15 rows (大约)
DELETE FROM `opa_gatekeeper_constraint`;
/*!40000 ALTER TABLE `opa_gatekeeper_constraint` DISABLE KEYS */;
INSERT INTO `opa_gatekeeper_constraint` (`id`, `name`, `ctname`, `type`, `packagetype`, `createtime`, `updatetime`, `file`, `describtion`) VALUES
(1, 'volume-types', 'volume-types', 'SYSTEM', 'k8s YAML', '2022-06-27 18:13:16', '2022-06-28 14:48:16', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Volume-Types\nmetadata:\n name: volume-types\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n volumes:\n # - "*" # * may be used to allow all volume types\n - configMap\n - emptyDir\n - projected\n - secret\n - downwardAPI\n - persistentVolumeClaim\n #- hostPath #required for allowedHostPaths\n #- flexVolume #required for allowedFlexVolumes', ''),
(2, 'pods-allowed-user-ranges', 'allowed-users', 'SYSTEM', 'k8s YAML', '2022-06-27 18:16:24', '2022-06-27 18:16:24', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Allowed-Users\nmetadata:\n name: pods-allowed-user-ranges\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n runAsUser:\n rule: MustRunAsNonRoot # MustRunAsNonRoot # RunAsAny\n runAsGroup:\n rule: RunAsAny # MayRunAs # RunAsAny\n supplementalGroups:\n rule: MustRunAs # MayRunAs # RunAsAny \n ranges:\n - min: 1\n max: 65535\n fsGroup:\n rule: MustRunAs # MayRunAs # RunAsAny \n ranges:\n - min: 1\n max: 65535', NULL),
(3, 'se-linux', 'se-linux', 'SYSTEM', 'k8s YAML', '2022-06-27 18:17:20', '2022-06-27 18:17:20', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SE-Linux\nmetadata:\n name: se-linux\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n allowedSELinuxOptions:\n - level: s0:c123,c456\n role: object_r\n type: svirt_sandbox_file_t\n user: system_u', NULL),
(4, 'seccomp', 'seccomp', 'SYSTEM', 'k8s YAML', '2022-06-27 18:18:30', '2022-06-27 18:18:30', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Seccomp\nmetadata:\n name: seccomp\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n allowedProfiles:\n - runtime/default\n - docker/default', NULL),
(5, 'read-only-root-filesystem', 'read-only-root-filesystem', 'SYSTEM', 'k8s YAML', '2022-06-27 18:19:10', '2022-06-27 18:19:10', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Read-Only-Root-Filesystem\nmetadata:\n name: read-only-root-filesystem\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]', NULL),
(6, ' proc-mount', ' proc-mount', 'SYSTEM', 'k8s YAML', '2022-06-27 18:19:49', '2022-06-27 18:19:49', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Proc-Mount\nmetadata:\n name: proc-mount\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n procMount: Default', NULL),
(7, 'privileged-container', 'privileged-container', 'SYSTEM', 'k8s YAML', '2022-06-27 18:23:27', '2022-06-27 18:23:27', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Privileged-Container\nmetadata:\n name: privileged-container\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n excludedNamespaces: ["kube-system"]', NULL),
(8, 'linux-capabilities-drop-all', 'linux-capabilities', 'SYSTEM', 'k8s YAML', '2022-06-27 18:24:29', '2022-06-27 18:24:29', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Linux-Capabilities\nmetadata:\n name: linux-capabilities-drop-all\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n requiredDropCapabilities: ["AUDIT_CONTROL","AUDIT_READ","AUDIT_WRITE","BLOCK_SUSPEND","BPF","SYS_ADMIN","CHECKPOINT_RESTORE","SYS_ADMIN","CHOWN","DAC_OVERRIDE","DAC_READ_SEARCH","FOWNER","DAC_OVERRIDE","DAC_READ_SEARCH","FSETID","IPC_LOCK","IPC_OWNER","KILL","LEASE","LINUX_IMMUTABLE","MAC_ADMIN","MAC_OVERRIDE","MKNOD","NET_ADMIN","NET_BIND_SERVICE","NET_BROADCAST","NET_RAW","PERFMON","SYS_ADMIN","SETGID","SETFCAP","SETPCAP","SETPCAP","SETPCAP","SETUID","SYS_ADMIN","SYSLOG","CHECKPOINT_RESTORE","BPF","PERFMON","SYS_ADMIN","SYS_BOOT","SYS_CHROOT","SYS_MODULE","SYS_NICE","SYS_PACCT","SYS_PTRACE","SYS_RAWIO","SYS_RESOURCE","SYS_RESOURCE","SYS_TIME","SYS_TTY_CONFIG","SYSLOG","WAKE_ALARM"]', NULL),
(9, 'host-network-ports', 'host-networking-ports', 'SYSTEM', 'k8s YAML', '2022-06-27 18:25:49', '2022-06-27 18:25:49', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Host-Networking-Ports\nmetadata:\n name: host-network-ports\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n hostNetwork: true\n min: 80\n max: 9000', NULL),
(10, 'host-namespace', 'host-namespace', 'SYSTEM', 'k8s YAML', '2022-06-27 18:26:46', '2022-06-27 18:26:46', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Host-Namespace\nmetadata:\n name: host-namespace\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]', NULL),
(11, 'host-filesystem', 'host-filesystem', 'SYSTEM', 'k8s YAML', '2022-06-27 18:27:19', '2022-06-27 18:27:19', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Host-Filesystem\nmetadata:\n name: host-filesystem\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n allowedHostPaths:\n - readOnly: true\n pathPrefix: "/foo"', NULL),
(12, 'forbidden-sysctls', 'forbidden-sysctls', 'SYSTEM', 'k8s YAML', '2022-06-27 18:28:10', '2022-06-27 18:28:10', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Forbidden-Sysctls\nmetadata:\n name: forbidden-sysctls\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n forbiddenSysctls:\n # - "*" # * may be used to forbid all sysctls\n - kernel.*', NULL),
(13, 'flexvolume-drivers', 'flex-volumes', 'SYSTEM', 'k8s YAML', '2022-06-27 18:28:49', '2022-06-27 18:28:49', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Flex-Volumes\nmetadata:\n name: flexvolume-drivers\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n allowedFlexVolumes: #[]\n - driver: "example/lvm"\n - driver: "example/cifs"', NULL),
(14, 'app-armor', 'app-armor', 'SYSTEM', 'k8s YAML', '2022-06-27 18:29:20', '2022-06-27 18:29:20', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: App-Armor\nmetadata:\n name: app-armor\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n allowedProfiles:\n - runtime/default', NULL),
(15, 'allow-privilege-escalation-container', 'allow-privilege-escalation-container', 'SYSTEM', 'k8s YAML', '2022-06-27 18:30:06', '2022-06-27 18:30:06', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: Allow-Privilege-Escalation-Container\nmetadata:\n name: allow-privilege-escalation-container\nspec:\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]', NULL),
(17, 'resource-limit', 'resource-limit', 'SYSTEM', 'k8s YAML', '2022-08-31 00:00:00', '2022-08-31 00:00:00', 'apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: resource-limit\nmetadata:\n name: resource-limit\nspec:\n match:\n kinds:\n - apiGroups: ["apps"]\n kinds: \n - "Deployment"\n - "DaemonSet"\n - "StatefulSet"', 'resource-limit');
/*!40000 ALTER TABLE `opa_gatekeeper_constraint` ENABLE KEYS */;
-- 导出 表 policymanager.opa_gatekeeper_constrainttemplate 结构
DROP TABLE IF EXISTS `opa_gatekeeper_constrainttemplate`;
CREATE TABLE IF NOT EXISTS `opa_gatekeeper_constrainttemplate` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`name` varchar(50) DEFAULT NULL,
`type` varchar(50) DEFAULT NULL,
`packagetype` varchar(50) DEFAULT NULL,
`createtime` varchar(50) DEFAULT NULL,
`file` mediumtext,
`updatetime` varchar(50) DEFAULT NULL,
`describtion` varchar(100) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=20 DEFAULT CHARSET=utf8;
-- 正在导出表 policymanager.opa_gatekeeper_constrainttemplate 的数据:~15 rows (大约)
DELETE FROM `opa_gatekeeper_constrainttemplate`;
/*!40000 ALTER TABLE `opa_gatekeeper_constrainttemplate` DISABLE KEYS */;
INSERT INTO `opa_gatekeeper_constrainttemplate` (`id`, `name`, `type`, `packagetype`, `createtime`, `file`, `updatetime`, `describtion`) VALUES
(1, 'volume-types', 'SYSTEM', 'k8s YAML', '2022-06-27 10:10:10', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: volume-types\n annotations:\n description: Controls usage of volume types.\nspec:\n crd:\n spec:\n names:\n kind: Volume-Types\n validation:\n # Schema for the `parameters` field\n openAPIV3Schema:\n type: object\n properties:\n volumes:\n type: array\n items:\n type: string\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package volumetypes\n\n violation[{"msg": msg, "details": {}}] {\n volume_fields := {x | input.review.object.spec.volumes[_][x]; x != "name"}\n field := volume_fields[_]\n not input_volume_type_allowed(field)\n msg := sprintf("The volume type %v is not allowed, pod: %v. Allowed volume types: %v", [field, input.review.object.metadata.name, input.parameters.volumes])\n }\n\n # * may be used to allow all volume types\n input_volume_type_allowed(field) {\n input.parameters.volumes[_] == "*"\n }\n\n input_volume_type_allowed(field) {\n field == input.parameters.volumes[_]\n }', '2022-06-28 12:11:48', 'Controls usage of volume types'),
(2, 'allowed-users', 'SYSTEM', 'k8s YAML', '2022-06-27 11:07:20', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: allowed-users\n annotations:\n description: Controls the user and group IDs of the container.\nspec:\n crd:\n spec:\n names:\n kind: Allowed-Users\n validation:\n openAPIV3Schema:\n type: object\n properties:\n runAsUser:\n type: object\n properties:\n rule:\n type: string\n ranges:\n type: array\n items:\n type: object\n properties:\n min:\n type: integer\n max:\n type: integer\n runAsGroup:\n type: object\n properties:\n rule:\n type: string\n ranges:\n type: array\n items:\n type: object\n properties:\n min:\n type: integer\n max:\n type: integer\n supplementalGroups:\n type: object\n properties:\n rule:\n type: string\n ranges:\n type: array\n items:\n type: object\n properties:\n min:\n type: integer\n max:\n type: integer\n fsGroup:\n type: object\n properties:\n rule:\n type: string\n ranges:\n type: array\n items:\n type: object\n properties:\n min:\n type: integer\n max:\n type: integer\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package allowedusers\n\n violation[{"msg": msg}] {\n fields := ["runAsUser", "runAsGroup", "supplementalGroups", "fsGroup"]\n field := fields[_]\n container := input_containers[_]\n msg := get_type_violation(field, container)\n }\n\n get_type_violation(field, container) = msg {\n field == "runAsUser"\n params := input.parameters[field]\n msg := get_user_violation(params, container)\n }\n\n get_type_violation(field, container) = msg {\n field != "runAsUser"\n params := input.parameters[field]\n msg := get_violation(field, params, container)\n }\n\n # RunAsUser (separate due to "MustRunAsNonRoot")\n get_user_violation(params, container) = msg {\n rule := params.rule\n provided_user := get_field_value("runAsUser", container, input.review)\n not accept_users(rule, provided_user)\n msg := sprintf("Container %v is attempting to run as disallowed user %v. Allowed runAsUser: %v", [container.name, provided_user, params])\n }\n\n get_user_violation(params, container) = msg {\n not get_field_value("runAsUser", container, input.review)\n params.rule = "MustRunAs"\n msg := sprintf("Container %v is attempting to run without a required securityContext/runAsUser", [container.name])\n }\n\n get_user_violation(params, container) = msg {\n params.rule = "MustRunAsNonRoot"\n not get_field_value("runAsUser", container, input.review)\n not get_field_value("runAsNonRoot", container, input.review)\n msg := sprintf("Container %v is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0", [container.name])\n }\n\n accept_users("RunAsAny", provided_user) {true}\n\n accept_users("MustRunAsNonRoot", provided_user) = res {res := provided_user != 0}\n\n accept_users("MustRunAs", provided_user) = res {\n ranges := input.parameters.runAsUser.ranges\n res := is_in_range(provided_user, ranges)\n }\n\n # Group Options\n get_violation(field, params, container) = msg {\n rule := params.rule\n provided_value := get_field_value(field, container, input.review)\n not is_array(provided_value)\n not accept_value(rule, provided_value, params.ranges)\n msg := sprintf("Container %v is attempting to run as disallowed group %v. Allowed %v: %v", [container.name, provided_value, field, params])\n }\n # SupplementalGroups is array value\n get_violation(field, params, container) = msg {\n rule := params.rule\n array_value := get_field_value(field, container, input.review)\n is_array(array_value)\n provided_value := array_value[_]\n not accept_value(rule, provided_value, params.ranges)\n msg := sprintf("Container %v is attempting to run with disallowed supplementalGroups %v. Allowed %v: %v", [container.name, array_value, field, params])\n }\n\n get_violation(field, params, container) = msg {\n not get_field_value(field, container, input.review)\n params.rule == "MustRunAs"\n msg := sprintf("Container %v is attempting to run without a required securityContext/%v. Allowed %v: %v", [container.name, field, field, params])\n }\n\n accept_value("RunAsAny", provided_value, ranges) {true}\n\n accept_value("MayRunAs", provided_value, ranges) = res { res := is_in_range(provided_value, ranges)}\n\n accept_value("MustRunAs", provided_value, ranges) = res { res := is_in_range(provided_value, ranges)}\n\n\n # If container level is provided, that takes precedence\n get_field_value(field, container, review) = out {\n container_value := get_seccontext_field(field, container)\n out := container_value\n }\n\n # If no container level exists, use pod level\n get_field_value(field, container, review) = out {\n not has_seccontext_field(field, container)\n review.kind.kind == "Pod"\n pod_value := get_seccontext_field(field, review.object.spec)\n out := pod_value\n }\n\n # Helper Functions\n is_in_range(val, ranges) = res {\n matching := {1 | val >= ranges[j].min; val <= ranges[j].max}\n res := count(matching) > 0\n }\n\n has_seccontext_field(field, obj) {\n get_seccontext_field(field, obj)\n }\n\n has_seccontext_field(field, obj) {\n get_seccontext_field(field, obj) == false\n }\n\n get_seccontext_field(field, obj) = out {\n out = obj.securityContext[field]\n }\n\n input_containers[c] {\n c := input.review.object.spec.containers[_]\n }\n input_containers[c] {\n c := input.review.object.spec.initContainers[_]\n }\n', '2022-06-28 12:15:06', 'Controls the user and group IDs of the container'),
(3, 'se-linux', 'SYSTEM', 'k8s YAML', '2022-06-27 11:09:34', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: se-linux\n annotations:\n description: Controls the SELinux context of the container.\nspec:\n crd:\n spec:\n names:\n kind: SE-Linux\n validation:\n # Schema for the `parameters` field\n openAPIV3Schema:\n type: object\n properties:\n allowedSELinuxOptions:\n type: array\n items:\n type: object\n properties:\n level:\n type: string\n role:\n type: string\n type:\n type: string\n user:\n type: string\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package selinux\n\n # Disallow top level custom SELinux options\n violation[{"msg": msg, "details": {}}] {\n has_field(input.review.object.spec.securityContext, "seLinuxOptions")\n not input_seLinuxOptions_allowed(input.review.object.spec.securityContext.seLinuxOptions)\n msg := sprintf("SELinux options is not allowed, pod: %v. Allowed options: %v", [input.review.object.metadata.name, input.parameters.allowedSELinuxOptions])\n }\n # Disallow container level custom SELinux options\n violation[{"msg": msg, "details": {}}] {\n c := input_security_context[_]\n has_field(c.securityContext, "seLinuxOptions")\n not input_seLinuxOptions_allowed(c.securityContext.seLinuxOptions)\n msg := sprintf("SELinux options is not allowed, pod: %v, container %v. Allowed options: %v", [input.review.object.metadata.name, c.name, input.parameters.allowedSELinuxOptions])\n }\n\n input_seLinuxOptions_allowed(options) {\n params := input.parameters.allowedSELinuxOptions[_]\n field_allowed("level", options, params)\n field_allowed("role", options, params)\n field_allowed("type", options, params)\n field_allowed("user", options, params)\n }\n\n field_allowed(field, options, params) {\n params[field] == options[field]\n }\n field_allowed(field, options, params) {\n not has_field(options, field)\n }\n\n input_security_context[c] {\n c := input.review.object.spec.containers[_]\n has_field(c.securityContext, "seLinuxOptions")\n }\n input_security_context[c] {\n c := input.review.object.spec.initContainers[_]\n has_field(c.securityContext, "seLinuxOptions")\n }\n\n # has_field returns whether an object has a field\n has_field(object, field) = true {\n object[field]\n }\n', '2022-06-28 12:15:26', 'Controls the SELinux context of the container'),
(4, 'seccomp', 'SYSTEM', 'k8s YAML', '2022-06-27 11:10:24', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: seccomp\n annotations:\n description: Controls the seccomp profile used by containers.\nspec:\n crd:\n spec:\n names:\n kind: Seccomp\n validation:\n # Schema for the `parameters` field\n openAPIV3Schema:\n type: object\n properties:\n allowedProfiles:\n type: array\n items:\n type: string\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package seccomp\n\n violation[{"msg": msg, "details": {}}] {\n metadata := input.review.object.metadata\n not input_wildcard_allowed(metadata)\n container := input_containers[_]\n not input_container_allowed(metadata, container)\n msg := sprintf("Seccomp profile is not allowed, pod: %v, container: %v, Allowed profiles: %v", [metadata.name, container.name, input.parameters.allowedProfiles])\n }\n\n input_wildcard_allowed(metadata) {\n input.parameters.allowedProfiles[_] == "*"\n }\n\n input_container_allowed(metadata, container) {\n not get_container_profile(metadata, container)\n metadata.annotations["seccomp.security.alpha.kubernetes.io/pod"] == input.parameters.allowedProfiles[_]\n }\n\n input_container_allowed(metadata, container) {\n profile := get_container_profile(metadata, container)\n profile == input.parameters.allowedProfiles[_]\n }\n\n get_container_profile(metadata, container) = profile {\n value := metadata.annotations[key]\n startswith(key, "container.seccomp.security.alpha.kubernetes.io/")\n [prefix, name] := split(key, "/")\n name == container.name\n profile = value\n }\n\n input_containers[c] {\n c := input.review.object.spec.containers[_]\n }\n input_containers[c] {\n c := input.review.object.spec.initContainers[_]\n }\n', '2022-06-28 12:15:40', ' Controls the seccomp profile used by containers'),
(5, 'read-only-root-filesystem', 'SYSTEM', 'k8s YAML', '2022-06-27 16:26:41', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: read-only-root-filesystem\n annotations:\n description: Requires the use of a read only root file system.\nspec:\n crd:\n spec:\n names:\n kind: Read-Only-Root-Filesystem\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package readonlyrootfilesystem\n\n violation[{"msg": msg, "details": {}}] {\n c := input_containers[_]\n input_read_only_root_fs(c)\n msg := sprintf("only read-only root filesystem container is allowed: %v", [c.name])\n }\n\n input_read_only_root_fs(c) {\n not has_field(c, "securityContext")\n }\n input_read_only_root_fs(c) {\n not c.securityContext.readOnlyRootFilesystem == true\n }\n\n input_containers[c] {\n c := input.review.object.spec.containers[_]\n }\n input_containers[c] {\n c := input.review.object.spec.initContainers[_]\n }\n\n # has_field returns whether an object has a field\n has_field(object, field) = true {\n object[field]\n }', '2022-06-28 12:15:53', 'Requires the use of a read only root file system'),
(6, 'proc-mount', 'SYSTEM', 'k8s YAML', '2022-06-27 16:27:41', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: proc-mount\n annotations:\n description: Controls the allowed `procMount` types for the container.\nspec:\n crd:\n spec:\n names:\n kind: Proc-Mount\n validation:\n # Schema for the `parameters` field\n openAPIV3Schema:\n type: object\n properties:\n procMount:\n type: string\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package procmount\n\n violation[{"msg": msg, "details": {}}] {\n c := input_containers[_]\n allowedProcMount := get_allowed_proc_mount(input)\n not input_proc_mount_type_allowed(allowedProcMount, c)\n msg := sprintf("ProcMount type is not allowed, container: %v. Allowed procMount types: %v", [c.name, allowedProcMount])\n }\n\n input_proc_mount_type_allowed(allowedProcMount, c) {\n allowedProcMount == "default"\n lower(c.securityContext.procMount) == "default"\n }\n input_proc_mount_type_allowed(allowedProcMount, c) {\n allowedProcMount == "unmasked"\n }\n\n input_containers[c] {\n c := input.review.object.spec.containers[_]\n c.securityContext.procMount\n }\n input_containers[c] {\n c := input.review.object.spec.initContainers[_]\n c.securityContext.procMount\n }\n\n get_allowed_proc_mount(arg) = out {\n not arg.parameters\n out = "default"\n }\n get_allowed_proc_mount(arg) = out {\n not arg.parameters.procMount\n out = "default"\n }\n get_allowed_proc_mount(arg) = out {\n not valid_proc_mount(arg.parameters.procMount)\n out = "default"\n }\n get_allowed_proc_mount(arg) = out {\n out = lower(arg.parameters.procMount)\n }\n\n valid_proc_mount(str) {\n lower(str) == "default"\n }\n valid_proc_mount(str) {\n lower(str) == "unmasked"\n }', '2022-06-28 12:16:04', ' Controls the allowed `procMount` types for the container'),
(7, 'privileged-container', 'SYSTEM', 'k8s YAML', '2022-06-27 16:32:42', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: privileged-container\n annotations:\n description: Controls running of privileged containers.\nspec:\n crd:\n spec:\n names:\n kind: Privileged-Container\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package privileged\n\n violation[{"msg": msg, "details": {}}] {\n c := input_containers[_]\n c.securityContext.privileged\n msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext])\n }\n\n input_containers[c] {\n c := input.review.object.spec.containers[_]\n }\n\n input_containers[c] {\n c := input.review.object.spec.initContainers[_]\n }\n', '2022-06-28 12:16:18', ' Controls running of privileged containers'),
(8, 'linux-capabilities', 'SYSTEM', 'k8s YAML', '2022-06-27 16:45:38', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: linux-capabilities\n annotations:\n description: Controls Linux capabilities.\nspec:\n crd:\n spec:\n names:\n kind: Linux-Capabilities\n validation:\n # Schema for the `parameters` field\n openAPIV3Schema:\n type: object\n properties:\n allowedCapabilities:\n type: array\n items:\n type: string\n requiredDropCapabilities:\n type: array\n items:\n type: string\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package capabilities\n\n violation[{"msg": msg}] {\n container := input.review.object.spec.containers[_]\n has_disallowed_capabilities(container)\n msg := sprintf("container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")])\n }\n\n violation[{"msg": msg}] {\n container := input.review.object.spec.containers[_]\n missing_drop_capabilities(container)\n msg := sprintf("container <%v> is not dropping all required capabilities. Container must drop all of %v", [container.name, input.parameters.requiredDropCapabilities])\n }\n\n\n\n violation[{"msg": msg}] {\n container := input.review.object.spec.initContainers[_]\n has_disallowed_capabilities(container)\n msg := sprintf("init container <%v> has a disallowed capability. Allowed capabilities are %v", [container.name, get_default(input.parameters, "allowedCapabilities", "NONE")])\n }\n\n violation[{"msg": msg}] {\n container := input.review.object.spec.initContainers[_]\n missing_drop_capabilities(container)\n msg := sprintf("init container <%v> is not dropping all required capabilities. Container must drop all of %v", [container.name, input.parameters.requiredDropCapabilities])\n }\n\n\n has_disallowed_capabilities(container) {\n allowed := {c | c := input.parameters.allowedCapabilities[_]}\n not allowed["*"]\n capabilities := {c | c := container.securityContext.capabilities.add[_]}\n count(capabilities - allowed) > 0\n }\n\n missing_drop_capabilities(container) {\n must_drop := {c | c := input.parameters.requiredDropCapabilities[_]}\n dropped := {c | c := container.securityContext.capabilities.drop[_]}\n count(must_drop - dropped) > 0\n }\n\n get_default(obj, param, _default) = out {\n out = obj[param]\n }\n\n get_default(obj, param, _default) = out {\n not obj[param]\n not obj[param] == false\n out = _default\n }\n', '2022-06-28 12:16:33', 'Controls Linux capabilities'),
(9, 'host-networking-ports', 'SYSTEM', 'k8s YAML', '2022-06-27 16:50:53', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: host-networking-ports\n annotations:\n description: Controls usage of host networking and ports.\nspec:\n crd:\n spec:\n names:\n kind: Host-Networking-Ports\n validation:\n # Schema for the `parameters` field\n openAPIV3Schema:\n type: object\n properties:\n hostNetwork:\n type: boolean\n min:\n type: integer\n max:\n type: integer\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package hostnetworkingports\n\n violation[{"msg": msg, "details": {}}] {\n input_share_hostnetwork(input.review.object)\n msg := sprintf("The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v", [input.review.object.metadata.name, input.parameters])\n }\n\n input_share_hostnetwork(o) {\n not input.parameters.hostNetwork\n o.spec.hostNetwork\n }\n\n input_share_hostnetwork(o) {\n hostPort := input_containers[_].ports[_].hostPort\n hostPort < input.parameters.min\n }\n\n input_share_hostnetwork(o) {\n hostPort := input_containers[_].ports[_].hostPort\n hostPort > input.parameters.max\n }\n\n input_containers[c] {\n c := input.review.object.spec.containers[_]\n }\n\n input_containers[c] {\n c := input.review.object.spec.initContainers[_]\n }', '2022-06-28 12:16:46', 'Controls usage of host networking and ports'),
(10, 'host-namespace', 'SYSTEM', 'k8s YAML', '2022-06-27 16:51:31', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: host-namespace\n annotations:\n description: Controls usage of host namespaces.\nspec:\n crd:\n spec:\n names:\n kind: Host-Namespace\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package hostnamespace\n\n violation[{"msg": msg, "details": {}}] {\n input_share_hostnamespace(input.review.object)\n msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])\n }\n\n input_share_hostnamespace(o) {\n o.spec.hostPID\n }\n input_share_hostnamespace(o) {\n o.spec.hostIPC\n }', '2022-06-28 12:17:00', 'Controls usage of host namespaces'),
(11, 'host-filesystem', 'SYSTEM', 'k8s YAML', '2022-06-27 16:52:01', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: host-filesystem\n annotations:\n description: Controls usage of the host filesystem.\nspec:\n crd:\n spec:\n names:\n kind: Host-Filesystem\n validation:\n # Schema for the `parameters` field\n openAPIV3Schema:\n type: object\n properties:\n allowedHostPaths:\n type: array\n items:\n type: object\n properties:\n readOnly:\n type: boolean\n pathPrefix:\n type: string\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package hostfilesystem\n\n violation[{"msg": msg, "details": {}}] {\n volume := input_hostpath_volumes[_]\n allowedPaths := get_allowed_paths(input)\n input_hostpath_violation(allowedPaths, volume)\n msg := sprintf("HostPath volume %v is not allowed, pod: %v. Allowed path: %v", [volume, input.review.object.metadata.name, allowedPaths])\n }\n\n input_hostpath_violation(allowedPaths, volume) {\n # An empty list means all host paths are blocked\n allowedPaths == []\n }\n input_hostpath_violation(allowedPaths, volume) {\n not input_hostpath_allowed(allowedPaths, volume)\n }\n\n get_allowed_paths(arg) = out {\n not arg.parameters\n out = []\n }\n get_allowed_paths(arg) = out {\n not arg.parameters.allowedHostPaths\n out = []\n }\n get_allowed_paths(arg) = out {\n out = arg.parameters.allowedHostPaths\n }\n\n input_hostpath_allowed(allowedPaths, volume) {\n allowedHostPath := allowedPaths[_]\n path_matches(allowedHostPath.pathPrefix, volume.hostPath.path)\n not allowedHostPath.readOnly == true\n }\n\n input_hostpath_allowed(allowedPaths, volume) {\n allowedHostPath := allowedPaths[_]\n path_matches(allowedHostPath.pathPrefix, volume.hostPath.path)\n allowedHostPath.readOnly\n not writeable_input_volume_mounts(volume.name)\n }\n\n writeable_input_volume_mounts(volume_name) {\n container := input_containers[_]\n mount := container.volumeMounts[_]\n mount.name == volume_name\n not mount.readOnly\n }\n\n # This allows "/foo", "/foo/", "/foo/bar" etc., but\n # disallows "/fool", "/etc/foo" etc.\n path_matches(prefix, path) {\n a := split(trim(prefix, "/"), "/")\n b := split(trim(path, "/"), "/")\n prefix_matches(a, b)\n }\n prefix_matches(a, b) {\n count(a) <= count(b)\n not any_not_equal_upto(a, b, count(a))\n }\n\n any_not_equal_upto(a, b, n) {\n a[i] != b[i]\n i < n\n }\n\n input_hostpath_volumes[v] {\n v := input.review.object.spec.volumes[_]\n has_field(v, "hostPath")\n }\n\n # has_field returns whether an object has a field\n has_field(object, field) = true {\n object[field]\n }\n input_containers[c] {\n c := input.review.object.spec.containers[_]\n }\n\n input_containers[c] {\n c := input.review.object.spec.initContainers[_]\n }', '2022-06-28 12:17:16', 'Controls usage of the host filesystem'),
(12, 'forbidden-sysctls', 'SYSTEM', 'k8s YAML', '2022-06-27 16:52:36', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: forbidden-sysctls\n annotations:\n description: Controls the `sysctl` profile used by containers.\nspec:\n crd:\n spec:\n names:\n kind: Forbidden-Sysctls\n validation:\n # Schema for the `parameters` field\n openAPIV3Schema:\n type: object\n properties:\n forbiddenSysctls:\n type: array\n items:\n type: string\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package forbiddensysctls\n\n violation[{"msg": msg, "details": {}}] {\n sysctl := input.review.object.spec.securityContext.sysctls[_].name\n forbidden_sysctl(sysctl)\n msg := sprintf("The sysctl %v is not allowed, pod: %v. Forbidden sysctls: %v", [sysctl, input.review.object.metadata.name, input.parameters.forbiddenSysctls])\n }\n\n # * may be used to forbid all sysctls\n forbidden_sysctl(sysctl) {\n input.parameters.forbiddenSysctls[_] == "*"\n }\n\n forbidden_sysctl(sysctl) {\n input.parameters.forbiddenSysctls[_] == sysctl\n }\n\n forbidden_sysctl(sysctl) {\n startswith(sysctl, trim(input.parameters.forbiddenSysctls[_], "*"))\n }', '2022-06-28 12:17:30', 'Controls the `sysctl` profile used by containers'),
(13, 'flex-volumes', 'SYSTEM', 'k8s YAML', '2022-06-27 16:53:39', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: flex-volumes\n annotations:\n description: Controls the allowlist of Flexvolume drivers.\nspec:\n crd:\n spec:\n names:\n kind: Flex-Volumes\n validation:\n # Schema for the `parameters` field\n openAPIV3Schema:\n type: object\n properties:\n allowedFlexVolumes:\n type: array\n items:\n type: object\n properties:\n driver:\n type: string\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package flexvolumes\n\n violation[{"msg": msg, "details": {}}] {\n volume := input_flexvolumes[_]\n not input_flexvolumes_allowed(volume)\n msg := sprintf("FlexVolume %v is not allowed, pod: %v. Allowed drivers: %v", [volume, input.review.object.metadata.name, input.parameters.allowedFlexVolumes])\n }\n\n input_flexvolumes_allowed(volume) {\n input.parameters.allowedFlexVolumes[_].driver == volume.flexVolume.driver\n }\n\n input_flexvolumes[v] {\n v := input.review.object.spec.volumes[_]\n has_field(v, "flexVolume")\n }\n\n # has_field returns whether an object has a field\n has_field(object, field) = true {\n object[field]\n }', '2022-06-28 12:17:43', 'Controls the allowlist of Flexvolume drivers'),
(14, 'app-armor', 'SYSTEM', 'k8s YAML', '2022-06-27 16:54:17', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: app-armor\n annotations:\n description: Controls the AppArmor profile used by containers.\nspec:\n crd:\n spec:\n names:\n kind: App-Armor\n validation:\n # Schema for the `parameters` field\n openAPIV3Schema:\n type: object\n properties:\n allowedProfiles:\n type: array\n items:\n type: string\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package apparmor\n\n violation[{"msg": msg, "details": {}}] {\n metadata := input.review.object.metadata\n container := input_containers[_]\n not input_apparmor_allowed(container, metadata)\n msg := sprintf("AppArmor profile is not allowed, pod: %v, container: %v. Allowed profiles: %v", [input.review.object.metadata.name, container.name, input.parameters.allowedProfiles])\n }\n\n input_apparmor_allowed(container, metadata) {\n metadata.annotations[key] == input.parameters.allowedProfiles[_]\n key == sprintf("container.apparmor.security.beta.kubernetes.io/%v", [container.name])\n }\n\n input_containers[c] {\n c := input.review.object.spec.containers[_]\n }\n input_containers[c] {\n c := input.review.object.spec.initContainers[_]\n }', '2022-06-28 12:18:00', 'Controls the AppArmor profile used by containers'),
(15, 'allow-privilege-escalation-container', 'SYSTEM', 'k8s YAML', '2022-06-27 16:54:48', 'apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: allow-privilege-escalation-container\n annotations:\n description: Controls restricting escalation to root privileges.\nspec:\n crd:\n spec:\n names:\n kind: Allow-Privilege-Escalation-Container\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package allowprivilegeescalationcontainer\n\n violation[{"msg": msg, "details": {}}] {\n c := input_containers[_]\n input_allow_privilege_escalation(c)\n msg := sprintf("Privilege escalation container is not allowed: %v", [c.name])\n }\n\n input_allow_privilege_escalation(c) {\n not has_field(c, "securityContext")\n }\n input_allow_privilege_escalation(c) {\n not c.securityContext.allowPrivilegeEscalation == false\n }\n input_containers[c] {\n c := input.review.object.spec.containers[_]\n }\n input_containers[c] {\n c := input.review.object.spec.initContainers[_]\n }\n # has_field returns whether an object has a field\n has_field(object, field) = true {\n object[field]\n }', '2022-06-28 12:18:13', 'Controls restricting escalation to root privileges'),
(17, 'resource-limit', 'SYSTEM', 'k8s YAML', '2022-08-31 00:00:00', 'apiVersion: templates.gatekeeper.sh/v1beta1\nkind: ConstraintTemplate\nmetadata:\n name: resource-limit\nspec:\n crd:\n spec:\n names:\n kind: resource-limit\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package limit\n resources_defined(x){\n x.resources;\n x.resources.limits;\n x.resources.requests\n }\n violation[{"msg": msg}] {\n ctr_list := input.review.object.spec.template.spec.containers\n some i\n ctr = ctr_list[i]\n not resources_defined(ctr)\n msg = sprintf("\'%v\'containers without \'resource\' fields.",[ctr.name])\n }', '2022-08-31 00:00:00', 'resource-limit');
/*!40000 ALTER TABLE `opa_gatekeeper_constrainttemplate` ENABLE KEYS */;
-- 导出 表 policymanager.opa_gatekeeper_policies 结构
DROP TABLE IF EXISTS `opa_gatekeeper_policies`;
CREATE TABLE IF NOT EXISTS `opa_gatekeeper_policies` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`name` varchar(50) DEFAULT NULL,
`version` varchar(50) DEFAULT NULL,
`constraintlist` varchar(100) DEFAULT NULL,
`process` varchar(50) DEFAULT NULL,
`describtion` varchar(100) DEFAULT NULL,
`createtime` varchar(50) DEFAULT NULL,
`updatetime` varchar(50) DEFAULT NULL,
`type` varchar(50) DEFAULT NULL,
`status` varchar(50) DEFAULT NULL COMMENT '策略新建、部署成功、部署失败',
`clustername` varchar(50) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=12 DEFAULT CHARSET=utf8;
-- 正在导出表 policymanager.opa_gatekeeper_policies 的数据:~0 rows (大约)
DELETE FROM `opa_gatekeeper_policies`;
/*!40000 ALTER TABLE `opa_gatekeeper_policies` DISABLE KEYS */;
/*!40000 ALTER TABLE `opa_gatekeeper_policies` ENABLE KEYS */;
-- 导出 表 policymanager.policyrepositiory 结构
DROP TABLE IF EXISTS `policyrepositiory`;
CREATE TABLE IF NOT EXISTS `policyrepositiory` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`name` varchar(50) DEFAULT NULL,
`url` varchar(50) DEFAULT NULL,
`publickey` varchar(50) DEFAULT NULL,
PRIMARY KEY (`id`),
KEY `id` (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- 正在导出表 policymanager.policyrepositiory 的数据:~0 rows (大约)
DELETE FROM `policyrepositiory`;
/*!40000 ALTER TABLE `policyrepositiory` DISABLE KEYS */;
/*!40000 ALTER TABLE `policyrepositiory` ENABLE KEYS */;
/*!40101 SET SQL_MODE=IFNULL(@OLD_SQL_MODE, '') */;
/*!40014 SET FOREIGN_KEY_CHECKS=IF(@OLD_FOREIGN_KEY_CHECKS IS NULL, 1, @OLD_FOREIGN_KEY_CHECKS) */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;