feat: add other policies in CEL expressions - Part 2 (#960)

* copy enforce-pod-duration

Signed-off-by: Chandan-DK <[email protected]>

* convert enforce-pod-duration to cel

Signed-off-by: Chandan-DK <[email protected]>

* add CI test for directories starting with e to l in other-cel folder

Signed-off-by: Chandan-DK <[email protected]>

* copy enforce-readwriteonce-pod

Signed-off-by: Chandan-DK <[email protected]>

* convert enforce-readwriteonce-pod to cel

Signed-off-by: Chandan-DK <[email protected]>

* copy ensure-probes-different

Signed-off-by: Chandan-DK <[email protected]>

* convert ensure-probes-different to cel

Signed-off-by: Chandan-DK <[email protected]>

* copy forbid-cpu-limits

Signed-off-by: Chandan-DK <[email protected]>

* convert forbid-cpu-limits to cel

Signed-off-by: Chandan-DK <[email protected]>

* copy limit-containers-per-pod

Signed-off-by: Chandan-DK <[email protected]>

* convert limit-containers-per-pod to cel

Signed-off-by: Chandan-DK <[email protected]>

* copy pdb-maxunavailable

Signed-off-by: Chandan-DK <[email protected]>

* convert pdb-maxunavailable to cel

Signed-off-by: Chandan-DK <[email protected]>

* keep pdb-maxunavailable in a separate PR

Signed-off-by: Chandan-DK <[email protected]>

* copy imagepullpolicy-always

Signed-off-by: Chandan-DK <[email protected]>

* convert imagepullpolicy-always to cel

Signed-off-by: Chandan-DK <[email protected]>

* copy limit-hostpath-type-pv

Signed-off-by: Chandan-DK <[email protected]>

* convert limit-hostpath-type-pv to cel

Signed-off-by: Chandan-DK <[email protected]>

* copy ensure-readonly-hostpath

Signed-off-by: Chandan-DK <[email protected]>

* convert ensure-readonly-hostpath to cel

Signed-off-by: Chandan-DK <[email protected]>

* copy ingress-host-match-tls

Signed-off-by: Chandan-DK <[email protected]>

* convert ingress-host-match-tls to cel

Signed-off-by: Chandan-DK <[email protected]>

* rename files for clarity

Signed-off-by: Chandan-DK <[email protected]>

* add new lines at the end of files

Signed-off-by: Chandan-DK <[email protected]>

* update artifacthub-pkg.yml for enforce-readwriteonce-pod

Co-authored-by: Mariam Fahmy <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>

---------

Signed-off-by: Chandan-DK <[email protected]>
Co-authored-by: Mariam Fahmy <[email protected]>
Co-authored-by: Mariam Fahmy <[email protected]>

.github/workflows/test.yml

@@ -47,15 +47,16 @@ jobs:
           - ^nginx-ingress$
           - ^openshift$
           - ^other$/^a
+          - ^other-cel$/^a
           - ^other$/^[b-d]
+          - ^other-cel$/^[b-d]
           - ^other$/^[e-l]
+          - ^other-cel$/^[e-l]
           - ^other$/^[m-q]
+          - ^other-cel$/^[m-q]
           - ^other$/^re[c-q]
           - ^other$/^res
           - ^other$/^[s-z]
-          - ^other-cel$/^a
-          - ^other-cel$/^[b-d]
-          - ^other-cel$/^[m-q]
           - ^pod-security$
           - ^pod-security-cel$
           - ^psa$

other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,39 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: enforce-pod-duration
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../enforce-pod-duration.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: pod-lifetime
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pods-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pods-bad.yaml
+    - apply:
+        file: podcontrollers-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: podcontrollers-bad.yaml
+

other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: baddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      annotations:
+        pod.kubernetes.io/lifetime: "8h5m"
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - image: busybox:1.35
+        name: busybox
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:
+            pod.kubernetes.io/lifetime: "8h5m"
+          labels:
+            app: busybox
+        spec:
+          containers:
+          - image: busybox:1.35
+            name: busybox
+          restartPolicy: OnFailure
+

other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml

@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: gooddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - image: busybox:1.35
+        name: busybox
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: gooddeployment02
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      annotations:
+        pod.kubernetes.io/lifetime: "8h"
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - image: busybox:1.35
+        name: busybox
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: busybox
+        spec:
+          containers:
+          - image: busybox:1.35
+            name: busybox
+          restartPolicy: OnFailure
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob02
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:
+            pod.kubernetes.io/lifetime: "5m"
+          labels:
+            app: busybox
+        spec:
+          containers:
+          - image: busybox:1.35
+            name: busybox
+          restartPolicy: OnFailure
+

other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    foo: bar
+    pod.kubernetes.io/lifetime: "8h1m"
+  name: badpod01
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    pod.kubernetes.io/lifetime: "24h"
+    foo: bar
+  name: badpod02
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox
+

other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml

@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    foo: bar
+  name: goodpod02
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    foo: bar
+    pod.kubernetes.io/lifetime: "5m"
+  name: goodpod03
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    pod.kubernetes.io/lifetime: "8h"
+    foo: bar
+  name: goodpod04
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox
+

other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,7 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: pod-lifetime
+status:
+  ready: true
+

other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,22 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: pod-lifetime
+policies:
+- ../enforce-pod-duration.yaml
+resources:
+- resources.yaml
+results:
+- kind: Pod
+  policy: pod-lifetime
+  resources:
+  - test-lifetime-fail
+  result: fail
+  rule: pods-lifetime
+- kind: Pod
+  policy: pod-lifetime
+  resources:
+  - test-lifetime-pass
+  result: pass
+  rule: pods-lifetime
+

other-cel/enforce-pod-duration/.kyverno-test/resources.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-lifetime-pass
+  namespace: test
+  annotations:
+    pod.kubernetes.io/lifetime: 4h
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-lifetime-fail
+  namespace: test
+  annotations:
+    pod.kubernetes.io/lifetime: 24h
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.12
+

other-cel/enforce-pod-duration/artifacthub-pkg.yml

@@ -0,0 +1,24 @@
+name: enforce-pod-duration-cel
+version: 1.0.0
+displayName: Enforce pod duration in CEL expressions
+description: >-
+  This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/enforce-pod-duration/enforce-pod-duration.yaml
+  ```
+keywords:
+  - kyverno
+  - Sample
+  - CEL Expressions
+readme: |
+  This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Sample in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Pod"
+digest: b2f1fec7c8b199024c813b1ddb3d52f27f889d082c0c94f4824c499cd6b278bb
+createdAt: "2024-03-30T18:18:11Z"
+

other-cel/enforce-pod-duration/enforce-pod-duration.yaml

@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: pod-lifetime
+  annotations:
+    policies.kyverno.io/title: Enforce pod duration in CEL expressions
+    policies.kyverno.io/category: Sample in CEL 
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      This validation is valuable when annotations are used to define durations,
+      such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold.
+      Pod lifetime annotation can be no greater than 8 hours.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: pods-lifetime
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      cel:
+        variables:
+          - name: hasLifetimeAnnotation
+            expression: "has(object.metadata.annotations) && 'pod.kubernetes.io/lifetime' in object.metadata.annotations"
+          - name: lifetimeAnnotationValue
+            expression: "variables.hasLifetimeAnnotation ? object.metadata.annotations['pod.kubernetes.io/lifetime'] : '0s'"
+        expressions:
+          - expression: "!(duration(variables.lifetimeAnnotationValue) > duration('8h'))"
+            message: "Pod lifetime exceeds limit of 8h"
+

other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,22 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: enforce-readwriteonce-pod
+policies:
+- ../enforce-readwriteonce-pod.yaml
+resources:
+- resource.yaml
+results:
+- kind: PersistentVolumeClaim
+  policy: readwriteonce-pod
+  resources:
+  - badpvc
+  result: fail
+  rule: readwrite-pvc-single-pod
+- kind: PersistentVolumeClaim
+  policy: readwriteonce-pod
+  resources:
+  - goodpvc
+  result: pass
+  rule: readwrite-pvc-single-pod
+