From 8c6ff125d5b0e0f6f783417512e936087d1c6c8c Mon Sep 17 00:00:00 2001
From: Lavish pal <lvishpal408@gmail.com>
Date: Tue, 30 Jul 2024 16:58:24 +0530
Subject: [PATCH 1/3] Enhanced: Simplify the CEL policy to disallow host ports

Signed-off-by: Lavish pal <lvishpal408@gmail.com>
---
 .../disallow-host-ports.yaml                  | 32 ++++++++-----------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml
index b7603ecfb..4ec05497f 100644
--- a/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml
+++ b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml
@@ -30,24 +30,18 @@ spec:
         cel:
           expressions:
             - expression: >- 
-                object.spec.containers.all(container, !has(container.ports) || 
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort
-                must either be unset or set to `0`.
+                [
+                  object.spec.containers,
+                  object.spec.initContainers,
+                  object.spec.ephemeralContainers
+                ].all(containers, !has(containers) ||
+                  containers.all(container, !has(container.ports) ||
+                  container.ports.all(port, !has(port.hostPort) || port.hostPort == 0)
+               )
+              )
+          message: >-
+            Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort,
+            spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
+            must either be unset or set to `0`.
 
-            - expression: >- 
-                !has(object.spec.initContainers) || 
-                object.spec.initContainers.all(container, !has(container.ports) || 
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.initContainers[*].ports[*].hostPort
-                must either be unset or set to `0`.
 
-            - expression: >- 
-                !has(object.spec.ephemeralContainers) ||
-                object.spec.ephemeralContainers.all(container, !has(container.ports) ||
-                container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))
-              message: >-
-                Use of host ports is disallowed. The field spec.ephemeralContainers[*].ports[*].hostPort
-                must either be unset or set to `0`.

From af3e139c885e465ba554d77e8e0d79513cad160b Mon Sep 17 00:00:00 2001
From: Lavish pal <lvishpal408@gmail.com>
Date: Fri, 2 Aug 2024 08:33:06 +0530
Subject: [PATCH 2/3] Update the artifacthub digest

Signed-off-by: Lavish pal <lvishpal408@gmail.com>
---
 .../baseline/disallow-host-ports/artifacthub-pkg.yml            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml
index 619a073ff..f0a5c882b 100644
--- a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml
+++ b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: b95cfe16e11be0b9507736687bd99b5ea78c455f8fc35194220326ea5ff3913c
+digest: 7cf73b6a1d171059742e0bf243acc6d5aef20b4f45aca0a2c73a162df23b375a
 createdAt: "2023-12-03T00:22:34Z"

From 1cc36debc91c5f9b67415376fa1abdd9739ae092 Mon Sep 17 00:00:00 2001
From: Lavish pal <lavish@debian.0.2.15>
Date: Sat, 3 Aug 2024 10:28:07 +0530
Subject: [PATCH 3/3] Update the digest value

Signed-off-by: Lavish pal <lavish@debian.0.2.15>
---
 .../baseline/disallow-host-ports/artifacthub-pkg.yml            | 2 +-
 pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml
index f0a5c882b..ddb7a1027 100644
--- a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml
+++ b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 7cf73b6a1d171059742e0bf243acc6d5aef20b4f45aca0a2c73a162df23b375a
+digest: 5380fdcd91c8bc331f46c6df2f4ae05e079a8e367ba071b3f3345858440a6fce
 createdAt: "2023-12-03T00:22:34Z"
diff --git a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml
index 737e81be9..dce9a2d57 100644
--- a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml
+++ b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
   kyverno/category: "Pod Security Standards (Baseline) in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 97f75f8cdd2e3ee9f9696cdceccc34cf0df5edbca0e3bbab76572494a26ce6e8
+digest: c9b480f97695316999bec53d4d9ee9b79d726eeb3038b941f64590bf98cb2486
 createdAt: "2023-12-03T00:22:33Z"