Create common exempt containers library

[tmos22]

Background

The lib_exempt_container.rego file is replicated in many different locations.

1. general/containerlimits
2. general/containerrequests
3. general/containerresourceratios
4. general/containerresources
5. general/disallowedtags
6. general/imagedigests
7. pod-security-policy/allow-privilege-escalation
8. pod-security-policy/apparmor
9. pod-security-policy/capabilities
10. pod-security-policy/host-network-ports
11. pod-security-policy/privileged-containers
12. pod-security-policy/proc-mount
13. pod-security-policy/read-only-root-filesystem
14. pod-security-policy/seccomp
15. pod-security-policy/selinux
16. pod-security-policy/users
17. rego/lib_exempt_container

When running an OPA: Trace Selection in VSCode it appears to execute through every available is_exempt() function.
(small sample)

/home/.../ephemeralstorage/src.rego:95                                                | | | | | Index data.lib.exempt_container.is_exempt (matched 17 rules, early exit)
.....
/home/...vendor/gatekeeper-library/src/general/imagedigests/lib_exempt_container.rego:10                               | | | | | Enter data.lib.exempt_container._matches_exemption
/home/...vendor/gatekeeper-library/src/general/imagedigests/lib_exempt_container.rego:11                               | | | | | | Eval not endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/general/imagedigests/lib_exempt_container.rego:11                               | | | | | | Enter endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/general/imagedigests/lib_exempt_container.rego:11                               | | | | | | | Eval endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/general/imagedigests/lib_exempt_container.rego:11                               | | | | | | | Exit endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/general/imagedigests/lib_exempt_container.rego:11                               | | | | | | Redo endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/general/imagedigests/lib_exempt_container.rego:11                               | | | | | | | Redo endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/general/imagedigests/lib_exempt_container.rego:11                               | | | | | | Fail not endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/seccomp/lib_exempt_container.rego:10                        | | | | | Enter data.lib.exempt_container._matches_exemption
/home/...vendor/gatekeeper-library/src/pod-security-policy/seccomp/lib_exempt_container.rego:11                        | | | | | | Eval not endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/seccomp/lib_exempt_container.rego:11                        | | | | | | Enter endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/seccomp/lib_exempt_container.rego:11                        | | | | | | | Eval endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/seccomp/lib_exempt_container.rego:11                        | | | | | | | Exit endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/seccomp/lib_exempt_container.rego:11                        | | | | | | Redo endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/seccomp/lib_exempt_container.rego:11                        | | | | | | | Redo endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/seccomp/lib_exempt_container.rego:11                        | | | | | | Fail not endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/proc-mount/lib_exempt_container.rego:10                     | | | | | Enter data.lib.exempt_container._matches_exemption
/home/...vendor/gatekeeper-library/src/pod-security-policy/proc-mount/lib_exempt_container.rego:11                     | | | | | | Eval not endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/proc-mount/lib_exempt_container.rego:11                     | | | | | | Enter endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/proc-mount/lib_exempt_container.rego:11                     | | | | | | | Eval endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/proc-mount/lib_exempt_container.rego:11                     | | | | | | | Exit endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/proc-mount/lib_exempt_container.rego:11                     | | | | | | Redo endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/proc-mount/lib_exempt_container.rego:11                     | | | | | | | Redo endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/proc-mount/lib_exempt_container.rego:11                     | | | | | | Fail not endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:10     | | | | | Enter data.lib.exempt_container._matches_exemption
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:11     | | | | | | Eval not endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:11     | | | | | | Enter endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:11     | | | | | | | Eval endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:11     | | | | | | | Exit endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:11     | | | | | | Redo endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:11     | | | | | | | Redo endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:11     | | | | | | Fail not endswith(exemption, "*")
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:7      | | | | | Fail data.lib.exempt_container._matches_exemption(img, exemption)
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:6      | | | | | Redo exemption = exempt_images[_]
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:5      | | | | | Redo img = container.image
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:4      | | | | | Redo exempt_images = __local4275__
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:4      | | | | | Redo object.get(__local4274__, "exemptImages", [], __local4275__)
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:4      | | | | | Redo object.get(__local6044__, "parameters", {}, __local4274__)
/home/...vendor/gatekeeper-library/src/pod-security-policy/allow-privilege-escalation/lib_exempt_container.rego:4      | | | | | Redo __local6044__ = input

Acceptance Criteria

• Have a single lib.exempt_container package that is referenced and used in place of duplicated packages.

[stale]

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.