Fixing evaluation logic in C-0044 and execution safety in C-0048

.github/workflows/main.yaml

@@ -19,12 +19,14 @@ jobs:
       id: minikube
       uses: slashben/setup-minikube@master
       with:
-          kubernetes-version: v1.30.0
+          kubernetes-version: v1.31.1
           container-runtime: containerd
     - uses: actions/setup-python@v4
       with:
         python-version: '3.10'
     - uses: azure/setup-kubectl@v3
+      with:
+        kubernetes-version: v1.31.1
     - name: Running all control policy tests
       run: |
         pip install --upgrade pip

.github/workflows/release.yaml

@@ -20,6 +20,8 @@ jobs:
           git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!"
 
       - uses: azure/setup-kubectl@v3
+        with:
+          kubernetes-version: v1.31.1
 
       - name: Create release artifacts
         run: |

controls/C-0013/policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1alpha1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "kubescape-c-0013-deny-resources-with-capability-to-run-as-root"
@@ -19,59 +19,59 @@ spec:
       operations:  ["CREATE", "UPDATE"]
       resources:   ["jobs","cronjobs"]
   validations:
-    - expression: > 
+    - expression: >
         object.kind != 'Pod' || object.spec.containers.all(container,
           (
             (
-              has(container.securityContext) && 
-              has(container.securityContext.allowPrivilegeEscalation) && 
+              has(container.securityContext) &&
+              has(container.securityContext.allowPrivilegeEscalation) &&
               container.securityContext.allowPrivilegeEscalation == false
             ) ||
             (
               (
                 !has(container.securityContext) || !has(container.securityContext.allowPrivilegeEscalation)
               ) &&
               (
-                has(object.spec.securityContext) && 
-                has(object.spec.securityContext.allowPrivilegeEscalation) && 
+                has(object.spec.securityContext) &&
+                has(object.spec.securityContext.allowPrivilegeEscalation) &&
                 object.spec.securityContext.allowPrivilegeEscalation == false
               )
             )
           ) &&
           (
             (
               (
-                has(container.securityContext) && 
-                has(container.securityContext.runAsNonRoot) && 
+                has(container.securityContext) &&
+                has(container.securityContext.runAsNonRoot) &&
                 container.securityContext.runAsNonRoot == true
               ) ||
               (
                 (
                   !has(container.securityContext) || !has(container.securityContext.runAsNonRoot)
                 ) &&
                 (
-                  has(object.spec.securityContext) && 
-                  has(object.spec.securityContext.runAsNonRoot) && 
+                  has(object.spec.securityContext) &&
+                  has(object.spec.securityContext.runAsNonRoot) &&
                   object.spec.securityContext.runAsNonRoot == true
                 )
-              )  
+              )
             ) ||
             (
               (
-                has(container.securityContext) && 
-                has(container.securityContext.runAsUser) && 
+                has(container.securityContext) &&
+                has(container.securityContext.runAsUser) &&
                 container.securityContext.runAsUser != 0
               ) ||
               (
                 (
                   !has(container.securityContext) || !has(container.securityContext.runAsUser)
                 ) &&
                 (
-                  has(object.spec.securityContext) && 
-                  has(object.spec.securityContext.runAsUser) && 
+                  has(object.spec.securityContext) &&
+                  has(object.spec.securityContext.runAsUser) &&
                   object.spec.securityContext.runAsUser != 0
                 )
-              )  
+              )
             )
           )
         )
@@ -81,55 +81,55 @@ spec:
         ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container,
           (
             (
-              has(container.securityContext) && 
-              has(container.securityContext.allowPrivilegeEscalation) && 
+              has(container.securityContext) &&
+              has(container.securityContext.allowPrivilegeEscalation) &&
               container.securityContext.allowPrivilegeEscalation == false
             ) ||
             (
               (
                 !has(container.securityContext) || !has(container.securityContext.allowPrivilegeEscalation)
               ) &&
               (
-                has(object.spec.template.spec.securityContext) && 
-                has(object.spec.template.spec.securityContext.allowPrivilegeEscalation) && 
+                has(object.spec.template.spec.securityContext) &&
+                has(object.spec.template.spec.securityContext.allowPrivilegeEscalation) &&
                 object.spec.template.spec.securityContext.allowPrivilegeEscalation == false
               )
             )
           ) &&
           (
             (
               (
-                has(container.securityContext) && 
-                has(container.securityContext.runAsNonRoot) && 
+                has(container.securityContext) &&
+                has(container.securityContext.runAsNonRoot) &&
                 container.securityContext.runAsNonRoot == true
               ) ||
               (
                 (
                   !has(container.securityContext) || !has(container.securityContext.runAsNonRoot)
                 ) &&
                 (
-                  has(object.spec.template.spec.securityContext) && 
-                  has(object.spec.template.spec.securityContext.runAsNonRoot) && 
+                  has(object.spec.template.spec.securityContext) &&
+                  has(object.spec.template.spec.securityContext.runAsNonRoot) &&
                   object.spec.template.spec.securityContext.runAsNonRoot == true
                 )
-              )  
+              )
             ) ||
             (
               (
-                has(container.securityContext) && 
-                has(container.securityContext.runAsUser) && 
+                has(container.securityContext) &&
+                has(container.securityContext.runAsUser) &&
                 container.securityContext.runAsUser != 0
               ) ||
               (
                 (
                   !has(container.securityContext) || !has(container.securityContext.runAsUser)
                 ) &&
                 (
-                  has(object.spec.template.spec.securityContext) && 
-                  has(object.spec.template.spec.securityContext.runAsUser) && 
+                  has(object.spec.template.spec.securityContext) &&
+                  has(object.spec.template.spec.securityContext.runAsUser) &&
                   object.spec.template.spec.securityContext.runAsUser != 0
                 )
-              )  
+              )
             )
           )
         )
@@ -139,55 +139,55 @@ spec:
         object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
           (
             (
-              has(container.securityContext) && 
-              has(container.securityContext.allowPrivilegeEscalation) && 
+              has(container.securityContext) &&
+              has(container.securityContext.allowPrivilegeEscalation) &&
               container.securityContext.allowPrivilegeEscalation == false
             ) ||
             (
               (
                 !has(container.securityContext) || !has(container.securityContext.allowPrivilegeEscalation)
               ) &&
               (
-                has(object.spec.jobTemplate.spec.securityContext) && 
-                has(object.spec.jobTemplate.spec.securityContext.allowPrivilegeEscalation) && 
+                has(object.spec.jobTemplate.spec.securityContext) &&
+                has(object.spec.jobTemplate.spec.securityContext.allowPrivilegeEscalation) &&
                 object.spec.jobTemplate.spec.securityContext.allowPrivilegeEscalation == false
               )
             )
           ) &&
           (
             (
               (
-                has(container.securityContext) && 
-                has(container.securityContext.runAsNonRoot) && 
+                has(container.securityContext) &&
+                has(container.securityContext.runAsNonRoot) &&
                 container.securityContext.runAsNonRoot == true
               ) ||
               (
                 (
                   !has(container.securityContext) || !has(container.securityContext.runAsNonRoot)
                 ) &&
                 (
-                  has(object.spec.jobTemplate.spec.securityContext) && 
-                  has(object.spec.jobTemplate.spec.securityContext.runAsNonRoot) && 
+                  has(object.spec.jobTemplate.spec.securityContext) &&
+                  has(object.spec.jobTemplate.spec.securityContext.runAsNonRoot) &&
                   object.spec.jobTemplate.spec.securityContext.runAsNonRoot == true
                 )
-              )  
+              )
             ) ||
             (
               (
-                has(container.securityContext) && 
-                has(container.securityContext.runAsUser) && 
+                has(container.securityContext) &&
+                has(container.securityContext.runAsUser) &&
                 container.securityContext.runAsUser != 0
               ) ||
               (
                 (
                   !has(container.securityContext) || !has(container.securityContext.runAsUser)
                 ) &&
                 (
-                  has(object.spec.jobTemplate.spec.securityContext) && 
-                  has(object.spec.jobTemplate.spec.securityContext.runAsUser) && 
+                  has(object.spec.jobTemplate.spec.securityContext) &&
+                  has(object.spec.jobTemplate.spec.securityContext.runAsUser) &&
                   object.spec.jobTemplate.spec.securityContext.runAsUser != 0
                 )
-              )  
+              )
             )
           )
         )

controls/C-0044/policy.yaml

@@ -23,9 +23,9 @@ spec:
       operations:  ["CREATE", "UPDATE"]
       resources:   ["jobs","cronjobs"]
   validations:
-    - expression: "object.kind != 'Pod' || object.spec.containers.all(container, !(has(container.ports)) || !(container.ports.all(port, has(port.hostPort))))"
+    - expression: "object.kind != 'Pod' || !object.spec.containers.exists(container, has(container.ports) && container.ports.exists(port, has(port.hostPort)))"
       message: "One or more containers in the Pod has Host-port! (see more at https://hub.armosec.io/docs/c-0044)"
-    - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, !(has(container.ports)) || !(container.ports.all(port, has(port.hostPort))))"
+    - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || !object.spec.template.spec.containers.exists(container, has(container.ports) && container.ports.exists(port, has(port.hostPort)))"
       message: "One or more containers in the Workload has Host-port! (see more at https://hub.armosec.io/docs/c-0044)"
-    - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, !(has(container.ports)) || !(container.ports.all(port, has(port.hostPort))))"
+    - expression: "object.kind != 'CronJob' || !object.spec.jobTemplate.spec.containers.exists(container, has(container.ports) && container.ports.exists(port, has(port.hostPort)))"
       message: "One or more containers in the CronJob has Host-port! (see more at https://hub.armosec.io/docs/c-0044)"

controls/C-0048/policy.yaml

@@ -23,9 +23,9 @@ spec:
       operations:  ["CREATE", "UPDATE"]
       resources:   ["jobs","cronjobs"]
   validations:
-    - expression: "object.kind != 'Pod' || object.spec.volumes.all(vol, !(has(vol.hostPath)))"
+    - expression: "object.kind != 'Pod' || !has(object.spec.volumes) || object.spec.volumes.all(vol, !(has(vol.hostPath)))"
       message: "There are one or more hostPath mounts in the Pod! (see more at https://hub.armosec.io/docs/c-0048)"
-    - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)))"
+    - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || !has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)))"
       message: "There are one or more hostPath mounts in the Workload! (see more at https://hub.armosec.io/docs/c-0048)"
-    - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)))"
+    - expression: "object.kind != 'CronJob' || !has(object.spec.jobTemplate.spec.volumes) || object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)))"
       message: "There are one or more hostPath mounts in the CronJob! (see more at https://hub.armosec.io/docs/c-0048)"

scripts/cluster.yaml

@@ -5,4 +5,4 @@ runtimeConfig:
   "admissionregistration.k8s.io/v1beta1": true
 nodes:
 - role: control-plane
-  image: kindest/node:v1.28.0
+  image: kindest/node:v1.31.1

tools/celcli/celcli.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/google/cel-go/cel"
 	"gopkg.in/yaml.v3"
-	"k8s.io/apiserver/pkg/cel/library"
 )
 
 func main() {
@@ -46,7 +45,6 @@ func main() {
 	var opts []cel.EnvOption
 	opts = append(opts, cel.Variable("object", cel.DynType))
 	opts = append(opts, cel.Variable("params", cel.DynType))
-	opts = append(opts, library.ExtensionLibs...)
 	env, err := cel.NewEnv(opts...)
 	if err != nil {
 		log.Fatalf("environment creation error: %s", err)

tools/celcli/go.mod

@@ -1,18 +1,26 @@
 module celcli
 
-go 1.19
+go 1.23.0
+
+toolchain go1.23.4
 
 require (
-	github.com/google/cel-go v0.13.0
+	github.com/google/cel-go v0.23.1
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/apiserver v0.26.0
 )
 
 require (
-	github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
-	github.com/stoewer/go-strcase v1.2.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
-	google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
-	k8s.io/apimachinery v0.26.0 // indirect
+	cel.dev/expr v0.19.1 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250124145028-65684f501c47 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250124145028-65684f501c47 // indirect
+	google.golang.org/protobuf v1.36.4 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )