feat: update .Header.Resources to a string array (#519)

Signed-off-by: Hiroshi Muraoka <[email protected]>
plexsystems · Jul 14, 2024 · 4520cbe · 4520cbe
1 parent 72d145b
commit 4520cbe
Show file tree

Hide file tree

Showing 4 changed files with 225 additions and 54 deletions.
diff --git a/examples/policies-no-rego.md b/examples/policies-no-rego.md
@@ -33,7 +33,9 @@
 
 **Severity:** Violation
 
-**Resources:** Any Resource
+**Resources:**
+
+- Any Resource
 
 **Parameters:**
 
@@ -49,7 +51,12 @@ _source: [required-labels](required-labels)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 Granting containers privileged capabilities on the node makes it easier
 for containers to escalate their privileges. As such, this is not allowed
@@ -62,7 +69,12 @@ _source: [container-deny-added-caps](container-deny-added-caps)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 Privileged containers can much more easily obtain root on the node.
 As such, they are not allowed.
@@ -74,7 +86,12 @@ _source: [container-deny-escalation](container-deny-escalation)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 Privileged containers can easily escalate to root privileges on the node. As
 such containers running as privileged or with sufficient capabilities granted
@@ -87,7 +104,12 @@ _source: [container-deny-privileged](container-deny-privileged)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 Pods that can change aliases in the host's /etc/hosts file can redirect traffic to malicious servers.
 
@@ -98,7 +120,12 @@ _source: [pod-deny-host-alias](pod-deny-host-alias)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 Pods that are allowed to access the host IPC can read memory of
 the other containers, breaking that security boundary.
@@ -110,7 +137,12 @@ _source: [pod-deny-host-ipc](pod-deny-host-ipc)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 Pods that can access the host's network interfaces can potentially
 access and tamper with traffic the pod should not have access to.
@@ -122,7 +154,12 @@ _source: [pod-deny-host-network](pod-deny-host-network)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 Pods that can access the host's process tree can view and attempt to
 modify processes outside of their namespace, breaking that security
@@ -135,7 +172,12 @@ _source: [pod-deny-host-pid](pod-deny-host-pid)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 Pods running as root (uid of 0) can much more easily escalate privileges
 to root on the node. As such, they are not allowed.
@@ -147,7 +189,9 @@ _source: [pod-deny-without-runasnonroot](pod-deny-without-runasnonroot)_
 
 **Severity:** Violation
 
-**Resources:** policy/PodSecurityPolicy
+**Resources:**
+
+- policy/PodSecurityPolicy
 
 Allowing containers privileged capabilities on the node makes it easier
 for containers to escalate their privileges. As such, this is not allowed
@@ -160,7 +204,9 @@ _source: [psp-deny-added-caps](psp-deny-added-caps)_
 
 **Severity:** Violation
 
-**Resources:** policy/PodSecurityPolicy
+**Resources:**
+
+- policy/PodSecurityPolicy
 
 Allowing privileged containers can much more easily obtain root on the node.
 As such, they are not allowed.
@@ -172,7 +218,9 @@ _source: [psp-deny-escalation](psp-deny-escalation)_
 
 **Severity:** Violation
 
-**Resources:** policy/PodSecurityPolicy
+**Resources:**
+
+- policy/PodSecurityPolicy
 
 Allowing pods to can change aliases in the host's /etc/hosts file can
 redirect traffic to malicious servers.
@@ -184,7 +232,9 @@ _source: [psp-deny-host-alias](psp-deny-host-alias)_
 
 **Severity:** Violation
 
-**Resources:** policy/PodSecurityPolicy
+**Resources:**
+
+- policy/PodSecurityPolicy
 
 Allowing pods to access the host IPC can read memory of
 the other containers, breaking that security boundary.
@@ -196,7 +246,9 @@ _source: [psp-deny-host-ipc](psp-deny-host-ipc)_
 
 **Severity:** Violation
 
-**Resources:** policy/PodSecurityPolicy
+**Resources:**
+
+- policy/PodSecurityPolicy
 
 Allowing pods to access the host's process tree can view and attempt to
 modify processes outside of their namespace, breaking that security
@@ -209,7 +261,9 @@ _source: [psp-deny-host-network](psp-deny-host-network)_
 
 **Severity:** Violation
 
-**Resources:** policy/PodSecurityPolicy
+**Resources:**
+
+- policy/PodSecurityPolicy
 
 Allowing pods to access the host's process tree can view and attempt to
 modify processes outside of their namespace, breaking that security
@@ -222,7 +276,9 @@ _source: [psp-deny-host-pid](psp-deny-host-pid)_
 
 **Severity:** Violation
 
-**Resources:** policy/PodSecurityPolicy
+**Resources:**
+
+- policy/PodSecurityPolicy
 
 Allowing privileged containers can much more easily obtain root on the node.
 As such, they are not allowed.
@@ -234,7 +290,12 @@ _source: [psp-deny-privileged](psp-deny-privileged)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 Using the latest tag on images can cause unexpected problems in production. By specifying a pinned version
 we can have higher confidence that our applications are immutable and do not change unexpectedly.
@@ -261,7 +322,12 @@ _source: [container-deny-latest-tag](container-deny-latest-tag)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 Resource constraints on containers ensure that a given workload does not take up more resources than it requires
 and potentially starve other applications that need to run.
@@ -273,7 +339,9 @@ _source: [container-deny-without-resource-constraints](container-deny-without-re
 
 **Severity:** Violation
 
-**Resources:** rbac.authorization.k8s.io/Role
+**Resources:**
+
+- rbac.authorization.k8s.io/Role
 
 Workloads not running in the exempted namespaces must not use PodSecurityPolicies with privileged permissions.
 
@@ -284,7 +352,12 @@ _source: [role-deny-use-privileged-psp](role-deny-use-privileged-psp)_
 
 **Severity:** Violation
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 **MatchLabels:** is-tenant=true
 
@@ -301,7 +374,10 @@ _source: [container-deny-privileged-if-tenant](container-deny-privileged-if-tena
 
 **Severity:** Warning
 
-**Resources:** apps/DaemonSet apps/Deployment
+**Resources:**
+
+- apps/DaemonSet
+- apps/Deployment
 
 The `extensions/v1beta1 API` has been deprecated in favor of `apps/v1`. Later versions of Kubernetes
 remove this API so to ensure that the Deployment or DaemonSet can be successfully deployed to the cluster,
@@ -314,7 +390,12 @@ _source: [any-warn-deprecated-api-versions](any-warn-deprecated-api-versions)_
 
 **Severity:** Warning
 
-**Resources:** core/Pod apps/DaemonSet apps/Deployment apps/StatefulSet
+**Resources:**
+
+- core/Pod
+- apps/DaemonSet
+- apps/Deployment
+- apps/StatefulSet
 
 In order to prevent persistence in the case of a compromise, it is
 important to make the root filesystem read-only.
@@ -326,7 +407,9 @@ _source: [container-warn-no-ro-fs](container-warn-no-ro-fs)_
 
 **Severity:** Warning
 
-**Resources:** policy/PodSecurityPolicy
+**Resources:**
+
+- policy/PodSecurityPolicy
 
 Allowing pods to access the host's network interfaces can potentially
 access and tamper with traffic the pod should not have access to.