Add pathTests to container-drop-net-raw #65
Description
Today the following yaml runs no matter what.
apiVersion: mutations.gatekeeper.sh/v1beta1
kind: Assign
metadata:
name: container-drop-net-raw
spec:
match:
scope: Namespaced
kinds:
- apiGroups: ["*"]
kinds: ["Pod"]
applyTo:
- groups: [""]
versions: ["v1"]
kinds: ["Pod"]
location: "spec.containers[name:*].securityContext.capabilities.drop"
parameters:
assign:
value:
- NET_RAW
But what happens if the user provides a even better value, say all
This could be written something like
apiVersion: mutations.gatekeeper.sh/v1beta1
kind: Assign
metadata:
name: container-drop-net-raw
spec:
match:
scope: Namespaced
kinds:
- apiGroups: ["*"]
kinds: ["Pod"]
applyTo:
- groups: [""]
versions: ["v1"]
kinds: ["Pod"]
location: "spec.containers[name:*].securityContext.capabilities.drop"
parameters:
assign:
value:
- NET_RAW
pathTests:
- subPath: "spec.containers[name:*].securityContext.capabilities.drop[ALL]"
condition: MustNotExist
I'm not sure on how the array should look like but something like this.