From b849b326ab5b6309e5e990056e552050e7f7652f Mon Sep 17 00:00:00 2001
From: Sanskar Gurdasani <92817635+Sanskarzz@users.noreply.github.com>
Date: Sat, 6 Jan 2024 02:18:17 +0530
Subject: [PATCH 1/2] Add psa namespace reporting (#877)

* added policy and artifacthub file

Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>

* added .chainsaw-test

Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>

* added .kyverno-test

Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>

---------

Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>
---
 .../.chainsaw-test/chainsaw-test.yaml         | 32 +++++++++++++++
 .../namespace-with-psa-labels.yaml            |  6 +++
 .../namespace-without-psa-labels.yaml         |  4 ++
 .../.chainsaw-test/policy-ready.yaml          |  9 +++++
 .../.kyverno-test/kyverno-test.yaml           | 22 +++++++++++
 .../namespace-with-psa-labels.yaml            |  6 +++
 .../namespace-without-psa-labels.yaml         |  4 ++
 .../add-psa-namespace-reporting.yaml          | 39 +++++++++++++++++++
 .../artifacthub-pkg.yml                       | 23 +++++++++++
 9 files changed, 145 insertions(+)
 create mode 100644 psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml
 create mode 100644 psa/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml
 create mode 100644 psa/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml
 create mode 100644 psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml
 create mode 100644 psa/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml
 create mode 100644 psa/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml
 create mode 100644 psa/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml
 create mode 100644 psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml
 create mode 100644 psa/add-psa-namespace-reporting/artifacthub-pkg.yml

diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml
new file mode 100644
index 000000000..7d09b0d11
--- /dev/null
+++ b/psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,32 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: add-psa-namespace-reporting
+spec:
+  steps:
+  - name: apply-policy
+    try:
+    - script:
+        content: |
+          sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../add-psa-namespace-reporting.yaml | kubectl create -f -
+    - assert:
+        file: policy-ready.yaml
+  - name: apply-policy-test
+    try:
+    - apply:
+        file: namespace-with-psa-labels.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: namespace-without-psa-labels.yaml   
+  - name: step-99
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: add-psa-namespace-reporting       
+
+
diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml
new file mode 100644
index 000000000..e94a09e9a
--- /dev/null
+++ b/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test
+  labels:
+      pod-security.kubernetes.io/enforce: "privileged"
\ No newline at end of file
diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml
new file mode 100644
index 000000000..7956df12c
--- /dev/null
+++ b/psa/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-fail
\ No newline at end of file
diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml
new file mode 100644
index 000000000..cfb6ab67a
--- /dev/null
+++ b/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-psa-namespace-reporting
+status:
+  ready: true
+
+
+
diff --git a/psa/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml b/psa/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml
new file mode 100644
index 000000000..513ac0fe8
--- /dev/null
+++ b/psa/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml
@@ -0,0 +1,22 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-psa-namespace-reporting-tests
+policies:
+- ../add-psa-namespace-reporting.yaml
+resources:
+- namespace-with-psa-labels.yaml
+- namespace-without-psa-labels.yaml
+results:
+  - kind: Namespace
+    policy: add-psa-namespace-reporting
+    resources: 
+    - test
+    rule: check-namespace-labels
+    result: pass
+  - kind: Namespace
+    policy: add-psa-namespace-reporting
+    resources: 
+    - test-fail
+    rule: check-namespace-labels
+    result: fail
\ No newline at end of file
diff --git a/psa/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml b/psa/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml
new file mode 100644
index 000000000..e94a09e9a
--- /dev/null
+++ b/psa/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test
+  labels:
+      pod-security.kubernetes.io/enforce: "privileged"
\ No newline at end of file
diff --git a/psa/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml b/psa/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml
new file mode 100644
index 000000000..7956df12c
--- /dev/null
+++ b/psa/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-fail
\ No newline at end of file
diff --git a/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml b/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml
new file mode 100644
index 000000000..15b830f10
--- /dev/null
+++ b/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml
@@ -0,0 +1,39 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-psa-namespace-reporting
+  annotations:
+    policies.kyverno.io/title: Add PSA Namespace Reporting
+    policies.kyverno.io/category: Pod Security Admission, EKS Best Practices
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.7.1
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/subject: Namespace
+    policies.kyverno.io/description: >-
+      This policy is valuable as it ensures that all namespaces within a Kubernetes 
+      cluster are labeled with Pod Security Admission (PSA) labels, which are crucial
+      for defining security levels and ensuring that pods within a namespace operate 
+      under the defined Pod Security Standard (PSS). By enforcing namespace labeling,
+      This policy audits namespaces to verify the presence of PSA labels. 
+      If a namespace is found without the required labels, it generates and maintain 
+      and ClusterPolicy Report in default namespace. 
+      This helps administrators identify namespaces that do not comply with the 
+      organization's security practices and take appropriate action to rectify the 
+      situation.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: check-namespace-labels
+    match:
+      any:
+      - resources:
+          kinds:
+            - Namespace
+    validate:
+      message: This Namespace is missing a PSA label.
+      pattern:
+        metadata:
+          labels:
+            pod-security.kubernetes.io/*: "?*"
\ No newline at end of file
diff --git a/psa/add-psa-namespace-reporting/artifacthub-pkg.yml b/psa/add-psa-namespace-reporting/artifacthub-pkg.yml
new file mode 100644
index 000000000..dfe7645b3
--- /dev/null
+++ b/psa/add-psa-namespace-reporting/artifacthub-pkg.yml
@@ -0,0 +1,23 @@
+name: add-psa-namespace-reporting
+version: 1.0.0
+displayName: Add PSA Namespace Reporting
+createdAt: "2024-01-4T16:10:04.000Z"
+description: >-
+  This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml
+  ```
+keywords:
+  - kyverno
+  - Pod Security Admission
+  - EKS Best Practices
+readme: |
+  This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Pod Security Admission, EKS Best Practices"
+  kyverno/kubernetesVersion: "1.24"
+  kyverno/subject: "Namespace"
+digest: 9f900e576158a5cff2e07404794add182859bfc6d881682af3490381abe6b434

From 526424e27a7284beb9b86c3888b50b2067236b91 Mon Sep 17 00:00:00 2001
From: Chip Zoller <chipzoller@gmail.com>
Date: Fri, 5 Jan 2024 16:55:35 -0500
Subject: [PATCH 2/2] fix createdAt (#879)

Signed-off-by: chipzoller <chipzoller@gmail.com>
---
 psa/add-psa-namespace-reporting/artifacthub-pkg.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/psa/add-psa-namespace-reporting/artifacthub-pkg.yml b/psa/add-psa-namespace-reporting/artifacthub-pkg.yml
index dfe7645b3..00f936a11 100644
--- a/psa/add-psa-namespace-reporting/artifacthub-pkg.yml
+++ b/psa/add-psa-namespace-reporting/artifacthub-pkg.yml
@@ -1,7 +1,7 @@
 name: add-psa-namespace-reporting
 version: 1.0.0
 displayName: Add PSA Namespace Reporting
-createdAt: "2024-01-4T16:10:04.000Z"
+createdAt: "2024-01-04T16:10:04.000Z"
 description: >-
   This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation.
 install: |-