feat: add other policies in CEL expressions - Part 6 (#970)

* add CI test for directories starting with res in other-cel

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-loadbalancer

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-loadbalancer

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-networkpolicy-empty-podselector

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-networkpolicy-empty-podselector

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-node-affinity

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-node-affinity

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-sa-automount-sa-token

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-sa-automount-sa-token

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-secret-role-verbs

Signed-off-by: Chandan-DK <[email protected]>

* add kyverno tests for restrict-secret-role-verbs

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-secret-role-verbs

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-service-port-range

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-service-port-range

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-secrets-by-name

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-secrets-by-name

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-storageclass

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-storageclass

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-usergroup-fsgroup-id

Signed-off-by: Chandan-DK <[email protected]>

* add kyverno tests for restrict-usergroup-fsgroup-id

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-usergroup-fsgroup-id

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-wildcard-resources

Signed-off-by: Chandan-DK <[email protected]>

* add kyverno tests for restrict-wildcard-resources

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-wildcard-resources

Signed-off-by: Chandan-DK <[email protected]>

* copy restrict-wildcard-verbs

Signed-off-by: Chandan-DK <[email protected]>

* add kyverno tests for restrict-wildcard-verbs

Signed-off-by: Chandan-DK <[email protected]>

* convert restrict-wildcard-verbs

Signed-off-by: Chandan-DK <[email protected]>

* rename files for clarity

Signed-off-by: Chandan-DK <[email protected]>

* add new lines at the end of file

Signed-off-by: Chandan-DK <[email protected]>

* fix cel test

Signed-off-by: Chandan-DK <[email protected]>

* add test case for pod creation without securityContext field

Signed-off-by: Chandan-DK <[email protected]>

* handle case where rules is null in restrict-wildcard-verbs

Signed-off-by: Chandan-DK <[email protected]>

* add edge cases to chainsaw test for restrict-wildcard-verbs

Signed-off-by: Chandan-DK <[email protected]>

* add kyverno tests with edge cases for restrict-wildcard-verbs

Signed-off-by: Chandan-DK <[email protected]>

* handle case where rules is null for restrict-wildcard-resources

Signed-off-by: Chandan-DK <[email protected]>

* add edge cases to chainsaw tests for restrict-wildcard-resources

Signed-off-by: Chandan-DK <[email protected]>

* handle case where rules is null for restrict-clusterrole-nodesproxy

Signed-off-by: Chandan-DK <[email protected]>

* add kyverno test with edge cases for restrict-clusterrole-nodesproxy

Signed-off-by: Chandan-DK <[email protected]>

* add chainsaw edge cases for restrict-clusterrole-nodesproxy

Signed-off-by: Chandan-DK <[email protected]>

* handle case where rules is null in restrict-escalation-verbs-roles

Signed-off-by: Chandan-DK <[email protected]>

* add edge case for kyverno tests in restrict-escalation-verbs-roles

Signed-off-by: Chandan-DK <[email protected]>

* add edge cases to chainsaw tests for restrict-escalation-verbs-roles

Signed-off-by: Chandan-DK <[email protected]>

* handle case where rules is null in restrict-secret-role-verbs

Signed-off-by: Chandan-DK <[email protected]>

* add edge cases for restrict-secret-role-verbs

Signed-off-by: Chandan-DK <[email protected]>

* add edge cases for chainsaw tests in restrict-secret-role-verbs

Signed-off-by: Chandan-DK <[email protected]>

* rename kyverno test resources

Signed-off-by: Chandan-DK <[email protected]>

* elaborate comment

Signed-off-by: Chandan-DK <[email protected]>

---------

Signed-off-by: Chandan-DK <[email protected]>
Co-authored-by: Mariam Fahmy <[email protected]>

.github/workflows/test.yml

@@ -60,6 +60,7 @@ jobs:
           - ^other$/^res
           - ^other-cel$/^res
           - ^other$/^[s-z]
+          - ^other-cel$/^res
           - ^pod-security$
           - ^pod-security-cel$
           - ^psa$

other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/cr-good.yaml

@@ -18,4 +18,15 @@ rules:
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["get", "watch", "list"]
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: empty-rules
+rules: 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: omitted-rules
+---

other-cel/restrict-clusterrole-nodesproxy/.kyverno-test/kyverno-test.yaml

@@ -5,8 +5,7 @@ metadata:
 policies:
 - ../restrict-clusterrole-nodesproxy.yaml
 resources:
-- ../.chainsaw-test/cr-bad.yaml
-- ../.chainsaw-test/cr-good.yaml
+- resource.yaml
 results:
 - policy: restrict-clusterrole-nodesproxy
   rule: clusterrole-nodesproxy
@@ -21,5 +20,6 @@ results:
   resources:
   - goodcr01
   - goodcr02
+  - default-rules
   result: pass
 

other-cel/restrict-clusterrole-nodesproxy/.kyverno-test/resource.yaml

@@ -0,0 +1,50 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: badcr01
+rules:
+- apiGroups: [""]
+  resources: ["nodes/proxy", "namespaces"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: badcr02
+rules:
+- apiGroups: [""]
+  resources: ["pods", "nodes/proxy"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: goodcr01
+rules:
+- apiGroups: [""]
+  resources: ["pods", "namespaces"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: goodcr02
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "watch", "list"]
+---
+# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, 
+# it will be set to null by default when created in the cluster
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: default-rules
+rules: null
+---

other-cel/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml

@@ -19,6 +19,6 @@ annotations:
   kyverno/category: "Sample in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "ClusterRole, RBAC"
-digest: 54304b50ebe12dab7f36afa09eaadf5f591d39a2bfe3ee83c150df30cbf66c4b
+digest: 5c78dc50201f3223c42e0ac414e23dcc418f487ae76031aa85eb4fbd6fa1a2c1
 createdAt: "2024-04-13T16:12:56Z"
 

other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml

@@ -31,6 +31,7 @@ spec:
         cel:
           expressions:
             - expression: >-
+                object.rules == null || 
                 !object.rules.exists(rule, 
                 rule.resources.exists(resource, resource == 'nodes/proxy') && 
                 rule.apiGroups.exists(apiGroup, apiGroup == ''))

other-cel/restrict-escalation-verbs-roles/.chainsaw-test/cr-good.yaml

@@ -21,4 +21,15 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "namespaces"]
   verbs: ["get", "watch", "list"]
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: empty-rules
+rules: 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: omitted-rules
+---

other-cel/restrict-escalation-verbs-roles/.chainsaw-test/role-good.yaml

@@ -21,4 +21,15 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "namespaces"]
   verbs: ["get", "watch", "list"]
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: empty-rules
+rules: 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: omitted-rules
+---

other-cel/restrict-escalation-verbs-roles/.kyverno-test/kyverno-test.yaml

@@ -25,12 +25,14 @@ results:
   resources:
   - goodclusterrole01
   - goodclusterrole02
+  - default-rules
   result: pass
   rule: escalate
 - kind: Role
   policy: restrict-escalation-verbs-roles
   resources:
   - goodrole01
+  - default-rules
   result: pass
   rule: escalate
 

other-cel/restrict-escalation-verbs-roles/.kyverno-test/resource.yaml

@@ -101,6 +101,14 @@ rules:
   verbs:
   - '*'
 ---
+# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, 
+# it will be set to null by default when created in the cluster
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: default-rules
+rules: null
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -126,4 +134,12 @@ rules:
   - roles
   verbs:
   - impersonate
-
+---
+# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, 
+# it will be set to null by default when created in the cluster
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: default-rules
+rules: null
+---

other-cel/restrict-escalation-verbs-roles/artifacthub-pkg.yml

@@ -19,6 +19,6 @@ annotations:
   kyverno/category: "Security in CEL"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Role, ClusterRole, RBAC"
-digest: 79d9c85060d55996f3be6bbc06321edfed00daeaca5bd24a7f4436f23a96bd73
+digest: 145bfa9745d524e77c11d35ea267c3c2323eb6d9d13c3b7c00632eb358da7d75
 createdAt: "2024-04-14T15:40:58Z"
 

other-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml

@@ -36,6 +36,7 @@ spec:
               expression: "['*', 'bind', 'escalate', 'impersonate']"
           expressions:
             - expression: >-
+                object.rules == null || 
                 !object.rules.exists(rule,
                 rule.apiGroups.exists(apiGroup, apiGroup in variables.apiGroups) &&
                 rule.resources.exists(resource, resource in variables.resources) &&

other-cel/restrict-loadbalancer/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,32 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-loadbalancer
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../restrict-loadbalancer.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: no-loadbalancer-service
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: svc-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: svc-bad.yaml
+

other-cel/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,7 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: no-loadbalancer-service
+status:
+  ready: true
+

other-cel/restrict-loadbalancer/.chainsaw-test/svc-bad.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: badsvc01
+spec:
+  selector:
+    app: nginx
+  ports:
+  - port: 80
+    targetPort: 80
+  type: LoadBalancer
+

other-cel/restrict-loadbalancer/.chainsaw-test/svc-good.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: goodsvc01
+spec:
+  selector:
+    app: nginx
+  ports:
+    - port: 80
+      targetPort: 80
+      nodePort: 30007
+  type: NodePort
+

other-cel/restrict-loadbalancer/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,22 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: no-loadbalancer-service
+policies:
+- ../restrict-loadbalancer.yaml
+resources:
+- resource.yaml
+results:
+- kind: Service
+  policy: no-loadbalancer-service
+  resources:
+  - default/my-service-1
+  result: fail
+  rule: no-LoadBalancer
+- kind: Service
+  policy: no-loadbalancer-service
+  resources:
+  - default/my-service-2
+  result: pass
+  rule: no-LoadBalancer
+

other-cel/restrict-loadbalancer/.kyverno-test/resource.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service-1
+spec:
+  selector:
+    app: myapp-1
+  ports:
+  - port: 80
+    targetPort: 80
+  type: LoadBalancer
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service-2
+spec:
+  selector:
+    app: MyApp
+  ports:
+    - port: 80
+      targetPort: 80
+      nodePort: 30007
+  type: NodePort
+

other-cel/restrict-loadbalancer/artifacthub-pkg.yml

@@ -0,0 +1,24 @@
+name: restrict-loadbalancer-cel
+version: 1.0.0
+displayName: Disallow Service Type LoadBalancer in CEL expressions
+description: >-
+  Especially in cloud provider environments, a Service having type LoadBalancer will cause the provider to respond by creating a load balancer somewhere in the customer account. This adds cost and complexity to a deployment. Without restricting this ability, users may easily overrun established budgets and security practices set by the organization. This policy restricts use of the Service type LoadBalancer.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-loadbalancer/restrict-loadbalancer.yaml
+  ```
+keywords:
+  - kyverno
+  - Sample
+  - CEL Expressions
+readme: |
+  Especially in cloud provider environments, a Service having type LoadBalancer will cause the provider to respond by creating a load balancer somewhere in the customer account. This adds cost and complexity to a deployment. Without restricting this ability, users may easily overrun established budgets and security practices set by the organization. This policy restricts use of the Service type LoadBalancer.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Sample in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Service"
+digest: 33b5031b68eb2f05d6dc535516fff514947846c6b64b1944e1546c897afae750
+createdAt: "2024-04-17T17:49:00Z"
+

other-cel/restrict-loadbalancer/restrict-loadbalancer.yaml

@@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: no-loadbalancer-service
+  annotations:
+    policies.kyverno.io/title: Disallow Service Type LoadBalancer in CEL expressions
+    policies.kyverno.io/category: Sample in CEL 
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Service
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/description: >-
+      Especially in cloud provider environments, a Service having type LoadBalancer will cause the
+      provider to respond by creating a load balancer somewhere in the customer account. This adds
+      cost and complexity to a deployment. Without restricting this ability, users may easily
+      overrun established budgets and security practices set by the organization. This policy restricts
+      use of the Service type LoadBalancer.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: no-LoadBalancer
+    match:
+      any:
+      - resources:
+          kinds:
+          - Service
+    validate:
+      cel:
+        expressions:
+          - expression: "object.spec.type != 'LoadBalancer'"
+            message: "Service of type LoadBalancer is not allowed."
+