From 9b9a0ac9b643d6b03cdfbee2f8d78e3e36011a13 Mon Sep 17 00:00:00 2001 From: Matt Bator Date: Wed, 10 Jul 2024 13:39:18 -0400 Subject: [PATCH 1/7] Replace k10-generate-gold-backup-policy ClusterPolicy (#998) * Add kasten-generate-example-backup-policy ClusterPolicy Signed-off-by: Matt Bator * Deprecate k10-generate-gold-backup-policy ClusterPolicy Signed-off-by: Matt Bator * Update kasten/kasten-generate-example-backup-policy/artifacthub-pkg.yml This must not exist. The line is only for the policy itself and not any supporting resources. Signed-off-by: Chip Zoller * Update kasten/kasten-generate-example-backup-policy/artifacthub-pkg.yml Don't need this per standards. Signed-off-by: Chip Zoller * Update kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml Co-authored-by: Chip Zoller Signed-off-by: Matt Bator * Add example ClusterRole to manifest comments, update hub manifest Signed-off-by: Matt Bator --------- Signed-off-by: Matt Bator Signed-off-by: Chip Zoller Signed-off-by: Matt Bator Co-authored-by: Chip Zoller --- .../chainsaw-step-01-apply-1.yaml | 17 ---- .../chainsaw-step-01-assert-1.yaml | 13 --- .../chainsaw-step-03-apply-1.yaml | 4 - .../chainsaw-step-03-apply-2.yaml | 4 - .../chainsaw-step-03-apply-3.yaml | 4 - .../chainsaw-step-03-apply-4.yaml | 4 - .../chainsaw-step-03-apply-5.yaml | 22 ----- .../chainsaw-step-03-apply-6.yaml | 25 ----- .../chainsaw-step-03-apply-7.yaml | 22 ----- .../chainsaw-step-03-apply-8.yaml | 25 ----- .../.chainsaw-test/chainsaw-test.yaml | 54 ----------- .../.chainsaw-test/generated-policy.yaml | 65 ------------- .../.chainsaw-test/not-generated-policy.yaml | 65 ------------- .../.chainsaw-test/policy-ready.yaml | 6 -- .../artifacthub-pkg.yml | 22 ----- .../k10-generate-gold-backup-policy.yaml | 63 ------------ .../.kyverno-test/generatedResource.yaml | 29 ++++++ .../.kyverno-test/kyverno-test.yaml | 17 ++++ .../.kyverno-test/test-resource.yaml | 23 +++++ .../.kyverno-test/test-values.yaml | 13 +++ .../artifacthub-pkg.yml | 20 ++++ ...kasten-generate-example-backup-policy.yaml | 97 +++++++++++++++++++ 22 files changed, 199 insertions(+), 415 deletions(-) delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-apply-1.yaml delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-1.yaml delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-2.yaml delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-3.yaml delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-4.yaml delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-5.yaml delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-6.yaml delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-7.yaml delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-8.yaml delete mode 100755 kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-test.yaml delete mode 100644 kasten/k10-generate-gold-backup-policy/.chainsaw-test/generated-policy.yaml delete mode 100644 kasten/k10-generate-gold-backup-policy/.chainsaw-test/not-generated-policy.yaml delete mode 100644 kasten/k10-generate-gold-backup-policy/.chainsaw-test/policy-ready.yaml delete mode 100644 kasten/k10-generate-gold-backup-policy/artifacthub-pkg.yml delete mode 100644 kasten/k10-generate-gold-backup-policy/k10-generate-gold-backup-policy.yaml create mode 100644 kasten/kasten-generate-example-backup-policy/.kyverno-test/generatedResource.yaml create mode 100644 kasten/kasten-generate-example-backup-policy/.kyverno-test/kyverno-test.yaml create mode 100644 kasten/kasten-generate-example-backup-policy/.kyverno-test/test-resource.yaml create mode 100644 kasten/kasten-generate-example-backup-policy/.kyverno-test/test-values.yaml create mode 100644 kasten/kasten-generate-example-backup-policy/artifacthub-pkg.yml create mode 100644 kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-apply-1.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-apply-1.yaml deleted file mode 100755 index 1dc53ed2c..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-apply-1.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - name: kyverno:background-controller:k10-goldbackuppolicy -rules: -- apiGroups: - - config.kio.kasten.io - resources: - - policies - verbs: - - create - - update - - delete diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index d660e00cb..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: policies.config.kio.kasten.io -spec: {} -status: - acceptedNames: - kind: Policy - listKind: PolicyList - plural: policies - singular: policy - storedVersions: - - v1alpha1 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-1.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-1.yaml deleted file mode 100755 index caaef7d37..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-1.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: k10-gp-ns01 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-2.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-2.yaml deleted file mode 100755 index b6693353e..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-2.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: k10-gp-ns02 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-3.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-3.yaml deleted file mode 100755 index b6924f910..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-3.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: k10-gp-ns03 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-4.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-4.yaml deleted file mode 100755 index 5a136cef6..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-4.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: k10-gp-ns04 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-5.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-5.yaml deleted file mode 100755 index 48123e7c6..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-5.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - dataprotection: k10-goldpolicy - purpose: production - name: ss01 - namespace: k10-gp-ns01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:1.35 - name: busybox diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-6.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-6.yaml deleted file mode 100755 index 4ba469633..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-6.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - dataprotection: k10-goldpolicy - purpose: production - name: deploy01 - namespace: k10-gp-ns02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - command: - - sleep - - "3600" - image: busybox:1.35 - name: busybox diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-7.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-7.yaml deleted file mode 100755 index 68a62ce5f..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-7.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - dataprotection: k10-simplepolicy - purpose: production - name: ss02 - namespace: k10-gp-ns03 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:1.35 - name: busybox diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-8.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-8.yaml deleted file mode 100755 index 716709323..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-8.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - dataprotection: k10-simplepolicy - purpose: production - name: deploy02 - namespace: k10-gp-ns04 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - command: - - sleep - - "3600" - image: busybox:1.35 - name: busybox diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-test.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index b9680a0fb..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: k10-generate-gold-backup-policy -spec: - steps: - - name: step-01 - try: - - apply: - file: chainsaw-step-01-apply-1.yaml - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: ../k10-generate-gold-backup-policy.yaml - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - apply: - file: chainsaw-step-03-apply-1.yaml - - apply: - file: chainsaw-step-03-apply-2.yaml - - apply: - file: chainsaw-step-03-apply-3.yaml - - apply: - file: chainsaw-step-03-apply-4.yaml - - apply: - file: chainsaw-step-03-apply-5.yaml - - apply: - file: chainsaw-step-03-apply-6.yaml - - apply: - file: chainsaw-step-03-apply-7.yaml - - apply: - file: chainsaw-step-03-apply-8.yaml - - name: step-04 - try: - - assert: - file: generated-policy.yaml - - error: - file: not-generated-policy.yaml - - name: step-05 - try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n k10-gp-ns01 - - script: - content: kubectl delete all --all --force --grace-period=0 -n k10-gp-ns02 - - script: - content: kubectl delete all --all --force --grace-period=0 -n k10-gp-ns03 - - script: - content: kubectl delete all --all --force --grace-period=0 -n k10-gp-ns04 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/generated-policy.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/generated-policy.yaml deleted file mode 100644 index c6117fc62..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/generated-policy.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: k10-k10-gp-ns01-gold-backup-policy - namespace: k10-gp-ns01 -spec: - actions: - - action: backup - - action: export - exportParameters: - exportData: - enabled: true - frequency: '@monthly' - profile: - name: object-lock-s3 - namespace: kasten-io - retention: - monthly: 12 - yearly: 5 - comment: K10 "gold" immutable production backup policy - frequency: '@daily' - retention: - daily: 7 - monthly: 12 - weekly: 4 - yearly: 7 - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - k10-gp-ns01 ---- -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: k10-k10-gp-ns02-gold-backup-policy - namespace: k10-gp-ns02 -spec: - actions: - - action: backup - - action: export - exportParameters: - exportData: - enabled: true - frequency: '@monthly' - profile: - name: object-lock-s3 - namespace: kasten-io - retention: - monthly: 12 - yearly: 5 - comment: K10 "gold" immutable production backup policy - frequency: '@daily' - retention: - daily: 7 - monthly: 12 - weekly: 4 - yearly: 7 - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - k10-gp-ns02 \ No newline at end of file diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/not-generated-policy.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/not-generated-policy.yaml deleted file mode 100644 index 8077a9283..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/not-generated-policy.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: k10-k10-gp-ns03-gold-backup-policy - namespace: k10-gp-ns03 -spec: - actions: - - action: backup - - action: export - exportParameters: - exportData: - enabled: true - frequency: '@monthly' - profile: - name: object-lock-s3 - namespace: kasten-io - retention: - monthly: 12 - yearly: 5 - comment: K10 "gold" immutable production backup policy - frequency: '@daily' - retention: - daily: 7 - monthly: 12 - weekly: 4 - yearly: 7 - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - k10-gp-ns03 ---- -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: k10-k10-gp-ns04-gold-backup-policy - namespace: k10-gp-ns04 -spec: - actions: - - action: backup - - action: export - exportParameters: - exportData: - enabled: true - frequency: '@monthly' - profile: - name: object-lock-s3 - namespace: kasten-io - retention: - monthly: 12 - yearly: 5 - comment: K10 "gold" immutable production backup policy - frequency: '@daily' - retention: - daily: 7 - monthly: 12 - weekly: 4 - yearly: 7 - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - k10-gp-ns04 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/policy-ready.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 47d9d5ff2..000000000 --- a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-generate-gold-backup-policy -status: - ready: true \ No newline at end of file diff --git a/kasten/k10-generate-gold-backup-policy/artifacthub-pkg.yml b/kasten/k10-generate-gold-backup-policy/artifacthub-pkg.yml deleted file mode 100644 index 9e671e537..000000000 --- a/kasten/k10-generate-gold-backup-policy/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: k10-generate-gold-backup-policy -version: 1.0.0 -displayName: Generate Gold Backup Policy -createdAt: "2023-04-10T20:12:53.000Z" -description: >- - Generate a backup policy for any Deployment or StatefulSet that adds the labels "dataprotection: k10-goldpolicy" This policy works best to decide the data protection objectives and simply assign backup via application labels. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-generate-gold-backup-policy/k10-generate-gold-backup-policy.yaml - ``` -keywords: - - kyverno - - Kasten K10 by Veeam -readme: | - Generate a backup policy for any Deployment or StatefulSet that adds the labels "dataprotection: k10-goldpolicy" This policy works best to decide the data protection objectives and simply assign backup via application labels. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Kasten K10 by Veeam" - kyverno/kubernetesVersion: "1.21-1.22" - kyverno/subject: "Policy" -digest: 9c12e7c601640434411e08b965b408cebd9862cb23760cac545a2a96741036b7 diff --git a/kasten/k10-generate-gold-backup-policy/k10-generate-gold-backup-policy.yaml b/kasten/k10-generate-gold-backup-policy/k10-generate-gold-backup-policy.yaml deleted file mode 100644 index f79d0b637..000000000 --- a/kasten/k10-generate-gold-backup-policy/k10-generate-gold-backup-policy.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-generate-gold-backup-policy - annotations: - policies.kyverno.io/title: Generate Gold Backup Policy - policies.kyverno.io/category: Kasten K10 by Veeam - kyverno.io/kyverno-version: 1.6.2 - policies.kyverno.io/minversion: 1.6.2 - kyverno.io/kubernetes-version: "1.21-1.22" - policies.kyverno.io/subject: Policy - policies.kyverno.io/description: >- - Generate a backup policy for any Deployment or StatefulSet that adds the labels "dataprotection: k10-goldpolicy" - This policy works best to decide the data protection objectives and simply assign backup via application labels. -spec: - background: false - rules: - - name: k10-generate-gold-backup-policy - match: - any: - - resources: - kinds: - - Deployment - - StatefulSet - selector: - matchLabels: - dataprotection: k10-goldpolicy # match with a corresponding ClusterPolicy that checks for this label - generate: - apiVersion: config.kio.kasten.io/v1alpha1 - kind: Policy - name: k10-{{request.namespace}}-gold-backup-policy - namespace: "{{request.namespace}}" - data: - metadata: - name: k10-{{request.namespace}}-gold-backup-policy - namespace: "{{request.namespace}}" - spec: - comment: K10 "gold" immutable production backup policy - frequency: '@daily' - retention: - daily: 7 - weekly: 4 - monthly: 12 - yearly: 7 - actions: - - action: backup - - action: export - exportParameters: - frequency: '@monthly' - profile: - name: object-lock-s3 - namespace: kasten-io - exportData: - enabled: true - retention: - monthly: 12 - yearly: 5 - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - "{{request.namespace}}" diff --git a/kasten/kasten-generate-example-backup-policy/.kyverno-test/generatedResource.yaml b/kasten/kasten-generate-example-backup-policy/.kyverno-test/generatedResource.yaml new file mode 100644 index 000000000..650b634e5 --- /dev/null +++ b/kasten/kasten-generate-example-backup-policy/.kyverno-test/generatedResource.yaml @@ -0,0 +1,29 @@ +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: test-namespace-kasten-example-policy + namespace: kasten-io +spec: + comment: "Auto-generated by Kyverno" + frequency: '@daily' + retention: + daily: 7 + weekly: 4 + monthly: 12 + yearly: 7 + actions: + - action: backup + - action: export + exportParameters: + frequency: '@daily' + profile: + name: test + namespace: kasten-io + exportData: + enabled: true + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - test-namespace \ No newline at end of file diff --git a/kasten/kasten-generate-example-backup-policy/.kyverno-test/kyverno-test.yaml b/kasten/kasten-generate-example-backup-policy/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..9d1cde8a9 --- /dev/null +++ b/kasten/kasten-generate-example-backup-policy/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,17 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kasten-generate-example-backup-policy-test +policies: +- ../kasten-generate-example-backup-policy.yaml +resources: +- test-resource.yaml +results: +- generatedResource: generatedResource.yaml + kind: Deployment + policy: kasten-generate-example-backup-policy + resources: + - test-deployment + result: pass + rule: kasten-generate-example-backup-policy +variables: test-values.yaml diff --git a/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-resource.yaml b/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-resource.yaml new file mode 100644 index 000000000..d25ce5dda --- /dev/null +++ b/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-resource.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-deployment + namespace: test-namespace + labels: + app: nginx + dataprotection: kasten-example +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 \ No newline at end of file diff --git a/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-values.yaml b/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-values.yaml new file mode 100644 index 000000000..2de482915 --- /dev/null +++ b/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-values.yaml @@ -0,0 +1,13 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +policies: +- name: kasten-generate-example-backup-policy + resources: + - name: test-variables + values: + request.namespace: test-namespace + dataprotectionLabelValue: kasten-example + rules: + - name: kasten-generate-example-backup-policy + values: + existingPolicy: 0 diff --git a/kasten/kasten-generate-example-backup-policy/artifacthub-pkg.yml b/kasten/kasten-generate-example-backup-policy/artifacthub-pkg.yml new file mode 100644 index 000000000..e6b52eefd --- /dev/null +++ b/kasten/kasten-generate-example-backup-policy/artifacthub-pkg.yml @@ -0,0 +1,20 @@ +name: kasten-generate-example-backup-policy +version: 1.0.1 +displayName: Generate Kasten Backup Policy Based on Resource Label +createdAt: "2023-05-07T00:00:00.000Z" +description: >- + Generates a Kasten policy for a namespace that includes any Deployment or StatefulSet with a "dataprotection=kasten-example" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-data-protection-by-label" policy to require "dataprotection" labeling on workloads. NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml + ``` +keywords: + - kyverno + - Veeam Kasten +readme: | + Generates a Kasten policy for a namespace that includes any Deployment or StatefulSet with a "dataprotection=kasten-example" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-data-protection-by-label" policy to require "dataprotection" labeling on workloads. NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. +annotations: + kyverno/category: "Veeam Kasten" + kyverno/kubernetesVersion: "1.24-1.30" + kyverno/subject: "Policy" +digest: 74edc3942670ec20e8b9ab00db894e503071bcc4c2da12dca2a6e03a2b2f562a diff --git a/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml b/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml new file mode 100644 index 000000000..995ed99f9 --- /dev/null +++ b/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml @@ -0,0 +1,97 @@ +# This is an example rule intended to be cloned & modified to meet organizational requirements. +# The `dataprotetion` label value can be changed to correspond with specific policy templates. +# +# NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: ClusterRole +# metadata: +# labels: +# app.kubernetes.io/component: background-controller +# app.kubernetes.io/instance: kyverno +# app.kubernetes.io/part-of: kyverno +# name: kyverno:create-kasten-policies +# rules: +# - apiGroups: +# - config.kio.kasten.io +# resources: +# - policies +# verbs: +# - create +# - update +# - delete +# +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kasten-generate-example-backup-policy + annotations: + policies.kyverno.io/title: Generate Kasten Backup Policy Based on Resource Label + policies.kyverno.io/category: Veeam Kasten + kyverno.io/kyverno-version: 1.12.1 + policies.kyverno.io/minversion: 1.12.0 + kyverno.io/kubernetes-version: "1.24-1.30" + policies.kyverno.io/subject: Policy + policies.kyverno.io/description: >- + Generates a Kasten policy for a namespace that includes any Deployment or StatefulSet with a "dataprotection=kasten-example" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-data-protection-by-label" policy to require "dataprotection" labeling on workloads. +spec: + rules: + - name: kasten-generate-example-backup-policy + match: + any: + - resources: + kinds: + - Deployment + - StatefulSet + selector: + matchLabels: + dataprotection: kasten-example + context: + - name: dataprotectionLabelValue + variable: + value: "kasten-example" + - name: kyvernoPolicyName + variable: + value: "kasten-generate-example-backup-policy" + - name: existingPolicy + apiCall: + urlPath: "/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies" # returns list of Kasten policies from kasten-io namespace + jmesPath: "items[][[@.metadata.labels.\"generate.kyverno.io/policy-name\"=='{{ kyvernoPolicyName }}'] && [@.spec.selector.matchExpressions[].values[?@=='{{ request.namespace }}']]][][][][] | length(@)" # queries if a Kasten policy protecting the namespace generated by this Kyverno policy already exists + preconditions: + any: + - key: "{{ existingPolicy }}" + operator: Equals + value: 0 # Only generate the policy if it does not already exist + generate: + apiVersion: config.kio.kasten.io/v1alpha1 + kind: Policy + name: "{{ request.namespace }}-{{ dataprotectionLabelValue }}-policy" + namespace: kasten-io + data: + metadata: + name: "{{ request.namespace }}-{{ dataprotectionLabelValue }}-policy" + namespace: kasten-io + spec: + comment: "Auto-generated by Kyverno" + frequency: '@daily' + retention: + daily: 7 + weekly: 4 + monthly: 12 + yearly: 7 + actions: + - action: backup + - action: export + exportParameters: + frequency: '@daily' + profile: + name: test + namespace: kasten-io + exportData: + enabled: true + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - "{{ request.namespace }}" From ff0b4d26cddb80a27b07f8c9cff372995fc796f2 Mon Sep 17 00:00:00 2001 From: Jay Prasad <70968485+Jay179-sudo@users.noreply.github.com> Date: Sun, 14 Jul 2024 19:30:22 +0530 Subject: [PATCH 2/7] [Chainsaw Tests] Add Chainsaw test for Bare Pods (#1057) * Added chainsaw tests for bare pods. Created a test pod and the corresponding clusterrole definition for the test Signed-off-by: Jay179-sudo * Reduced scheduled time from five minutes to one Signed-off-by: Jay179-sudo * Created a separate test policy referenced by the chainsaw test. Undid changes to the original policy Signed-off-by: Jay179-sudo * Update cleanup/cleanup-bare-pods/clusterrole.yaml Signed-off-by: Chip Zoller * Update cleanup/cleanup-bare-pods/clusterrole.yaml Signed-off-by: Chip Zoller * Cleaned up and moved the clusterrole file. Applied a patch to reduce scheduled time Signed-off-by: Jay179-sudo * fixed file name to cluster-role Signed-off-by: Jay179-sudo * minor fix Signed-off-by: Jay179-sudo --------- Signed-off-by: Jay179-sudo Signed-off-by: Chip Zoller Co-authored-by: Chip Zoller --- .../chainsaw-step-02-assert-1.yaml | 4 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 +++++++++++++++++++ .../.chainsaw-test/cluster-role.yaml | 20 ++++++++++ .../cleanup-bare-pods/.chainsaw-test/pod.yaml | 8 ++++ 4 files changed, 70 insertions(+) create mode 100644 cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-step-02-assert-1.yaml create mode 100644 cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-test.yaml create mode 100644 cleanup/cleanup-bare-pods/.chainsaw-test/cluster-role.yaml create mode 100644 cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml diff --git a/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-step-02-assert-1.yaml new file mode 100644 index 000000000..f0fe23d34 --- /dev/null +++ b/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-step-02-assert-1.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: clean-bare-pods diff --git a/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-test.yaml b/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..d9cf0944a --- /dev/null +++ b/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: cleanup-bare-pods +spec: + steps: + - name: apply cluster role + try: + - apply: + file: cluster-role.yaml + - name: create a bare pod + try: + - apply: + file: pod.yaml + - assert: + file: pod.yaml + - name: apply cleanup policy + try: + - apply: + file: ../cleanup-bare-pods.yaml + - patch: + resource: + apiVersion: kyverno.io/v2beta1 + kind: ClusterCleanupPolicy + metadata: + name: clean-bare-pods + spec: + schedule: "*/1 * * * *" + - assert: + file: chainsaw-step-02-assert-1.yaml + - name: wait for scheduled deletion + try: + - sleep: + duration: 1m30s + - name: check for bare pod + try: + - error: + file: pod.yaml \ No newline at end of file diff --git a/cleanup/cleanup-bare-pods/.chainsaw-test/cluster-role.yaml b/cleanup/cleanup-bare-pods/.chainsaw-test/cluster-role.yaml new file mode 100644 index 000000000..6e5bdaf66 --- /dev/null +++ b/cleanup/cleanup-bare-pods/.chainsaw-test/cluster-role.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + namespace: kyverno + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:cleanup-controller:barepods +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete + diff --git a/cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml b/cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml new file mode 100644 index 000000000..966df958a --- /dev/null +++ b/cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bare-pod +spec: + containers: + - name: nginx + image: nginx:1.14.1 From 501047bba4395ecd6edea01819e98001f0548b88 Mon Sep 17 00:00:00 2001 From: Matt Bator Date: Sun, 14 Jul 2024 10:42:12 -0400 Subject: [PATCH 3/7] Added example ClusterRole privileges and updated hub manifest (#1070) Signed-off-by: Matt Bator Co-authored-by: Chip Zoller --- .../artifacthub-pkg.yml | 10 ++----- ...asten-generate-policy-by-preset-label.yaml | 28 ++++++++++++++----- 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml b/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml index 43e1aa102..31a33aab8 100644 --- a/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml +++ b/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml @@ -3,9 +3,7 @@ version: 1.0.1 displayName: Generate Kasten Policy from Preset createdAt: "2023-05-07T00:00:00.000Z" description: >- - Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. - - Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. + Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. install: |- ```shell kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml @@ -14,11 +12,9 @@ keywords: - kyverno - Veeam Kasten readme: | - Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. - Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. - + Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. annotations: kyverno/category: "Veeam Kasten" kyverno/kubernetesVersion: "1.24-1.30" kyverno/subject: "Policy" -digest: bd6c752cc28abd28792b579956bdddc69864ab0ffae4dd95b3d47de6977b0aae +digest: cddabf7614a6122728cf0f862013266ddb5731eb45fcaa41d6cb243e9881aad7 diff --git a/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml b/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml index 8d8da97b6..f7aabe6e3 100644 --- a/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml +++ b/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml @@ -1,11 +1,25 @@ -# This example assumes that Kasten policy presets named -# "gold", "silver", and "bronze" have been pre-created -# and Kasten was deployed into the `kasten-io` namespace. +# This example assumes that Kasten policy presets named "gold", "silver", and "bronze" have been pre-created and Kasten was deployed into the `kasten-io` namespace. +# +# NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. +# +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: ClusterRole +# metadata: +# labels: +# app.kubernetes.io/component: background-controller +# app.kubernetes.io/instance: kyverno +# app.kubernetes.io/part-of: kyverno +# name: kyverno:create-kasten-policies +# rules: +# - apiGroups: +# - config.kio.kasten.io +# resources: +# - policies +# verbs: +# - create +# - update +# - delete # -# Additionally, the Kyverno background controller requires -# additional permissions to create Kasten Policy resources. -# Apply the create-kasten-policies-clusterrole.yaml manifest -# first to grant the required permissions. apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: From 832d8a44ee3675f47474b1f0425d49557387b0de Mon Sep 17 00:00:00 2001 From: jayme-github Date: Sun, 14 Jul 2024 16:58:14 +0200 Subject: [PATCH 4/7] Remove hardcoded test namespace from restrict-volume-types tests (#1075) pod-secuity policies used to hardcode the test namespace as restrict-voltypes-ns to be able to properly delete test resources. This change removes the need to hardcode the namespace name by using the build in namespace binding. Signed-off-by: jayme-github Co-authored-by: Chip Zoller --- .../.chainsaw-test/chainsaw-test.yaml | 7 ++++--- .../restrict-volume-types/.chainsaw-test/ns.yaml | 4 ---- .../.chainsaw-test/pod-good.yaml | 9 --------- .../.chainsaw-test/podcontroller-good.yaml | 15 --------------- .../.chainsaw-test/chainsaw-test.yaml | 7 ++++--- .../restrict-volume-types/.chainsaw-test/ns.yaml | 4 ---- .../.chainsaw-test/pod-good.yaml | 9 --------- .../.chainsaw-test/podcontroller-good.yaml | 15 --------------- 8 files changed, 8 insertions(+), 62 deletions(-) delete mode 100644 pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/ns.yaml delete mode 100644 pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml index a1f934ab1..8c6194e7f 100755 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml @@ -10,8 +10,6 @@ spec: steps: - name: step-01 try: - - apply: - file: ns.yaml - apply: file: ../restrict-volume-types.yaml - patch: @@ -43,5 +41,8 @@ spec: - name: step-99 try: - script: - content: kubectl delete all --all --force --grace-period=0 -n restrict-voltypes-ns + env: + - name: NAMESPACE + value: $namespace + content: kubectl delete all --all --force --grace-period=0 -n $NAMESPACE diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/ns.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/ns.yaml deleted file mode 100644 index 9cde8be39..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: restrict-voltypes-ns \ No newline at end of file diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml index a12d37f25..4ea15fd1d 100644 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml @@ -1,7 +1,6 @@ apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod01 spec: containers: @@ -11,7 +10,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod02 spec: containers: @@ -27,7 +25,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod03 spec: containers: @@ -44,7 +41,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod04 spec: containers: @@ -63,7 +59,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod05 labels: foo: bar @@ -85,7 +80,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod06 spec: containers: @@ -111,7 +105,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod07 spec: containers: @@ -129,7 +122,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod08 spec: containers: @@ -150,7 +142,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod09 spec: containers: diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml index 45378d1e6..26c344b15 100644 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml @@ -1,7 +1,6 @@ apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment01 spec: replicas: 1 @@ -20,7 +19,6 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment02 spec: replicas: 1 @@ -45,7 +43,6 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment05 spec: replicas: 1 @@ -75,7 +72,6 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment06 spec: replicas: 1 @@ -110,7 +106,6 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment07 spec: replicas: 1 @@ -137,7 +132,6 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment08 spec: replicas: 1 @@ -167,7 +161,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob01 spec: schedule: "*/1 * * * *" @@ -183,7 +176,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob02 spec: schedule: "*/1 * * * *" @@ -205,7 +197,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob03 spec: schedule: "*/1 * * * *" @@ -228,7 +219,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob04 spec: schedule: "*/1 * * * *" @@ -253,7 +243,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob05 spec: schedule: "*/1 * * * *" @@ -282,7 +271,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob06 spec: schedule: "*/1 * * * *" @@ -314,7 +302,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob07 spec: schedule: "*/1 * * * *" @@ -338,7 +325,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob08 spec: schedule: "*/1 * * * *" @@ -365,7 +351,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob09 spec: schedule: "*/1 * * * *" diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml index 7d2604bfd..005d759b7 100755 --- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml @@ -8,8 +8,6 @@ spec: steps: - name: step-01 try: - - apply: - file: ns.yaml - apply: file: ../restrict-volume-types.yaml - patch: @@ -41,5 +39,8 @@ spec: - name: step-99 try: - script: - content: kubectl delete all --all --force --grace-period=0 -n restrict-voltypes-ns + env: + - name: NAMESPACE + value: $namespace + content: kubectl delete all --all --force --grace-period=0 -n $NAMESPACE diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml deleted file mode 100644 index 9cde8be39..000000000 --- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: restrict-voltypes-ns \ No newline at end of file diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml index a12d37f25..4ea15fd1d 100644 --- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml @@ -1,7 +1,6 @@ apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod01 spec: containers: @@ -11,7 +10,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod02 spec: containers: @@ -27,7 +25,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod03 spec: containers: @@ -44,7 +41,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod04 spec: containers: @@ -63,7 +59,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod05 labels: foo: bar @@ -85,7 +80,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod06 spec: containers: @@ -111,7 +105,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod07 spec: containers: @@ -129,7 +122,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod08 spec: containers: @@ -150,7 +142,6 @@ spec: apiVersion: v1 kind: Pod metadata: - namespace: restrict-voltypes-ns name: goodpod09 spec: containers: diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml index 45378d1e6..26c344b15 100644 --- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml @@ -1,7 +1,6 @@ apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment01 spec: replicas: 1 @@ -20,7 +19,6 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment02 spec: replicas: 1 @@ -45,7 +43,6 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment05 spec: replicas: 1 @@ -75,7 +72,6 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment06 spec: replicas: 1 @@ -110,7 +106,6 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment07 spec: replicas: 1 @@ -137,7 +132,6 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - namespace: restrict-voltypes-ns name: gooddeployment08 spec: replicas: 1 @@ -167,7 +161,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob01 spec: schedule: "*/1 * * * *" @@ -183,7 +176,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob02 spec: schedule: "*/1 * * * *" @@ -205,7 +197,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob03 spec: schedule: "*/1 * * * *" @@ -228,7 +219,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob04 spec: schedule: "*/1 * * * *" @@ -253,7 +243,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob05 spec: schedule: "*/1 * * * *" @@ -282,7 +271,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob06 spec: schedule: "*/1 * * * *" @@ -314,7 +302,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob07 spec: schedule: "*/1 * * * *" @@ -338,7 +325,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob08 spec: schedule: "*/1 * * * *" @@ -365,7 +351,6 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - namespace: restrict-voltypes-ns name: goodcronjob09 spec: schedule: "*/1 * * * *" From 6ccc290ee385f2bb8551d834f49903b16b4f89f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jul 2024 14:59:34 +0000 Subject: [PATCH 5/7] build(deps): Bump actions/setup-go from 5.0.1 to 5.0.2 (#1074) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.1 to 5.0.2. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/cdcb36043654635271a94b9a6d1392de5bb323a7...0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/test.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f895d97ee..056dd9607 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,7 @@ jobs: # The target branch of a pull request or the branch/tag of a push ref: ${{ github.base_ref || github.ref_name }} - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ~1.21.1 - name: Test Policy @@ -69,7 +69,7 @@ jobs: # The target branch of a pull request or the branch/tag of a push ref: ${{ github.base_ref || github.ref_name }} - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ~1.21.1 - name: Lint policies diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 125b89a06..e6ef34fba 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -82,7 +82,7 @@ jobs: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ~1.21.1 - name: Install Tools From 2efa80628115e0a4f24a990d7d6473f47c59fd7c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jul 2024 15:00:59 +0000 Subject: [PATCH 6/7] build(deps): Bump kyverno/action-install-chainsaw from 0.2.4 to 0.2.6 (#1072) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.4 to 0.2.6. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](https://github.com/kyverno/action-install-chainsaw/compare/dd64b5d7b2b7d36fdf701d48ac8b216aa94414db...5d00c353f61f44f3b492c673420202d1b1374c3f) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e6ef34fba..6de6c7276 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -119,7 +119,7 @@ jobs: set -e kubectl apply -f ./.chainsaw/crds - name: Install Chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@5d00c353f61f44f3b492c673420202d1b1374c3f # v0.2.6 - name: Test with Chainsaw env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 7cff98b0868b7b36233803ac8443ac4dee90ab4f Mon Sep 17 00:00:00 2001 From: jayme-github Date: Sun, 14 Jul 2024 19:24:07 +0200 Subject: [PATCH 7/7] Add chainsaw tests for pod-security disallow-proc-mount (#1076) Based in the kyverno test resources, this adds chainsaw tests for the pod-security and pod-security-cel policy disallow-proc-mount. Signed-off-by: jayme-github Co-authored-by: Chip Zoller --- .github/kind.yml | 2 + .../.chainsaw-test/chainsaw-test.yaml | 40 +++ .../.chainsaw-test/pod-bad.yaml | 73 ++++++ .../.chainsaw-test/pod-good.yaml | 78 ++++++ .../.chainsaw-test/podcontroller-bad.yaml | 220 ++++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 245 ++++++++++++++++++ .../.chainsaw-test/policy-ready.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 40 +++ .../.chainsaw-test/pod-bad.yaml | 73 ++++++ .../.chainsaw-test/pod-good.yaml | 78 ++++++ .../.chainsaw-test/podcontroller-bad.yaml | 220 ++++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 245 ++++++++++++++++++ .../.chainsaw-test/policy-ready.yaml | 6 + 13 files changed, 1326 insertions(+) create mode 100755 pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml create mode 100644 pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml create mode 100644 pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml create mode 100644 pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml create mode 100644 pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml create mode 100755 pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml create mode 100755 pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml create mode 100755 pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml diff --git a/.github/kind.yml b/.github/kind.yml index 9438061e5..1f6e2eee6 100644 --- a/.github/kind.yml +++ b/.github/kind.yml @@ -1,5 +1,7 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 +featureGates: + ProcMountType: true kubeadmConfigPatches: - |- kind: ClusterConfiguration diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..04baf8fe0 --- /dev/null +++ b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,40 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-proc-mount +spec: + # disable templating because it can cause issues with CEL expressions + template: false + steps: + - name: step-01 + try: + - apply: + file: ../disallow-proc-mount.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-proc-mount + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..623c582d3 --- /dev/null +++ b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..747d648e2 --- /dev/null +++ b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Default + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Default + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..b719c34b3 --- /dev/null +++ b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,220 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..83e0d5aac --- /dev/null +++ b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,245 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Default + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Default + - name: initcontainer02 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Default + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Default + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..87ef3bbcb --- /dev/null +++ b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-proc-mount +status: + ready: true diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..04baf8fe0 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,40 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-proc-mount +spec: + # disable templating because it can cause issues with CEL expressions + template: false + steps: + - name: step-01 + try: + - apply: + file: ../disallow-proc-mount.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-proc-mount + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..623c582d3 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..747d648e2 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Default + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Default + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..b719c34b3 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,220 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Unmasked +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Unmasked + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Unmasked +--- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..83e0d5aac --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,245 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Default + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Default + - name: initcontainer02 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + securityContext: + procMount: Default + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + securityContext: + procMount: Default + containers: + - name: container01 + image: dummyimagename + securityContext: + procMount: Default +--- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..87ef3bbcb --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-proc-mount +status: + ready: true