@@ -29,11 +29,10 @@ spec:
2929 value : " {{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
3030 patchesJson6902 : |-
3131 - op: add
32- path: /spec/template/spec/containers/{{elementIndex}}/securityContext
32+ path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities
3333 value:
34- capabilities:
35- drop:
36- - ALL
34+ drop:
35+ - ALL
3736list : request.object.spec.template.spec.initContainers[]
3837 order : Descending
3938 preconditions :
@@ -43,11 +42,10 @@ spec:
4342 value : " {{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
4443 patchesJson6902 : |-
4544 - op: add
46- path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext
45+ path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities
4746 value:
48- capabilities:
49- drop:
50- - ALL
47+ drop:
48+ - ALL
5149list : request.object.spec.template.spec.ephemeralContainers[]
5250 order : Descending
5351 preconditions :
5755 value : " {{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
5856 patchesJson6902 : |-
5957 - op: add
60- path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext
58+ path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities
6159 value:
62- capabilities:
63- drop:
64- - ALL
60+ drop:
61+ - ALL
62+ name : restrict-adding-capabilities-other-than-net-bind-service
63+ match :
64+ resources :
65+ kinds :
66+ - Deployment
67+ - StatefulSet
68+ - Job
69+ - DaemonSet
70+ mutate :
71+ foreach :
72+ - list : request.object.spec.template.spec.containers[]
73+ order : Descending
74+ preconditions :
75+ all :
76+ - key : NET_BIND_RAW
77+ operator : AnyNotIn
78+ value : " {{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
79+ patchesJson6902 : |-
80+ - op: remove
81+ path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add
82+
83+ - list : request.object.spec.template.spec.containers[]
84+ order : Descending
85+ preconditions :
86+ all :
87+ - key : NET_BIND_RAW
88+ operator : In
89+ value : " {{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
90+ patchesJson6902 : |-
91+ - op: replace
92+ path: /spec/template/spec/containers/{{elementIndex}}/securityContext/capabilities/add
93+ value:
94+ - NET_BIND_RAW
95+
96+ - list : request.object.spec.template.spec.initContainers[]
97+ order : Descending
98+ preconditions :
99+ all :
100+ - key : NET_BIND_RAW
101+ operator : AnyNotIn
102+ value : " {{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
103+ patchesJson6902 : |-
104+ - op: remove
105+ path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add
106+
107+ - list : request.object.spec.template.spec.initContainers[]
108+ order : Descending
109+ preconditions :
110+ all :
111+ - key : NET_BIND_RAW
112+ operator : In
113+ value : " {{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
114+ patchesJson6902 : |-
115+ - op: replace
116+ path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/capabilities/add
117+ value:
118+ - NET_BIND_RAW
119+
120+ - list : request.object.spec.template.spec.ephemeralContainers[]
121+ order : Descending
122+ preconditions :
123+ all :
124+ - key : NET_BIND_RAW
125+ operator : AnyNotIn
126+ value : " {{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
127+ patchesJson6902 : |-
128+ - op: remove
129+ path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add
130+
131+ - list : request.object.spec.template.spec.ephemeralContainers[]
132+ order : Descending
133+ preconditions :
134+ all :
135+ - key : NET_BIND_RAW
136+ operator : In
137+ value : " {{ element.securityContext.capabilities.add[].to_upper(@) || `[]` }}"
138+ patchesJson6902 : |-
139+ - op: replace
140+ path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/capabilities/add
141+ value:
142+ - NET_BIND_RAW
0 commit comments