From d8d97d11d69dcaba3aad08be0d72f8c068d7adad Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 17 Mar 2024 07:31:27 +0000 Subject: [PATCH 01/42] copy allowed-annotations Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 38 +++++ .../.chainsaw-test/pod-bad.yaml | 46 ++++++ .../.chainsaw-test/pod-good.yaml | 44 ++++++ .../.chainsaw-test/podcontroller-bad.yaml | 93 +++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 131 ++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 21 +++ .../.kyverno-test/resource.yaml | 29 ++++ .../allowed-annotations.yaml | 37 +++++ .../allowed-annotations/artifacthub-pkg.yml | 22 +++ 10 files changed, 467 insertions(+) create mode 100755 other-cel/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml create mode 100644 other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/allowed-annotations/.kyverno-test/resource.yaml create mode 100644 other-cel/allowed-annotations/allowed-annotations.yaml create mode 100644 other-cel/allowed-annotations/artifacthub-pkg.yml diff --git a/other-cel/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..089b2140f --- /dev/null +++ b/other-cel/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-annotations +status: + ready: true diff --git a/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml b/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..3c3e9bce9 --- /dev/null +++ b/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: allowed-annotations +spec: + steps: + - name: step-01 + try: + - apply: + file: ../allowed-annotations.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: allowed-annotations + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml b/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..0b5d757e4 --- /dev/null +++ b/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + fluxcd.io/cat: meow + name: badpod01 +spec: + containers: + - name: pod01-01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + fluxcd.io/foo: bar + name: badpod02 +spec: + containers: + - name: pod02-01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + fluxcd.io/bar: foo + foo: bar + name: badpod03 +spec: + containers: + - name: pod-01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + fluxcd.io/bar: foo + fluxcd.io/cow: moo + name: badpod04 +spec: + containers: + - name: pod-01 + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml b/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..562703bde --- /dev/null +++ b/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: pod01-01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + fluxcd.io/cow: ox + fluxcd.io/dog: cat + name: goodpod02 +spec: + containers: + - name: pod02-01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + name: goodpod03 +spec: + containers: + - name: pod-01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + fluxcd.io/cow: moo + foo: bar + name: goodpod04 +spec: + containers: + - name: pod-01 + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..5fc6b883c --- /dev/null +++ b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,93 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + annotations: + foo: bar + fluxcd.io/foo: bar + labels: + app: busybox + spec: + containers: + - name: bb-01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + annotations: + fluxcd.io/cat: meow + fluxcd.io/cow: moo + labels: + app: busybox + spec: + containers: + - name: bb-01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + foo: bar + fluxcd.io/foo: bar + spec: + containers: + - name: hello + image: busybox:1.35 + imagePullPolicy: IfNotPresent + command: + - "sleep" + - "3600" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + fluxcd.io/cat: meow + fluxcd.io/cow: moo + spec: + containers: + - name: hello + image: busybox:1.35 + imagePullPolicy: IfNotPresent + command: + - "sleep" + - "3600" + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..0fb2af431 --- /dev/null +++ b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + annotations: + foo: bar + labels: + app: busybox + spec: + containers: + - name: bb-01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + annotations: + fluxcd.io/cow: moo + fluxcd.io/dog: bark + labels: + app: busybox + spec: + containers: + - name: bb-01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb-01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + foo: bar + spec: + containers: + - name: hello + image: busybox:1.35 + imagePullPolicy: IfNotPresent + command: + - "sleep" + - "3600" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + fluxcd.io/cow: moo + fluxcd.io/dog: bark + spec: + containers: + - name: hello + image: busybox:1.35 + imagePullPolicy: IfNotPresent + command: + - "sleep" + - "3600" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox:1.35 + imagePullPolicy: IfNotPresent + command: + - "sleep" + - "3600" + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml b/other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..2e46de21c --- /dev/null +++ b/other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: allowed-annotations +policies: +- ../allowed-annotations.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: allowed-annotations + resources: + - badpod01 + result: fail + rule: allowed-fluxcd-annotations +- kind: Pod + policy: allowed-annotations + resources: + - goodpod01 + result: pass + rule: allowed-fluxcd-annotations diff --git a/other-cel/allowed-annotations/.kyverno-test/resource.yaml b/other-cel/allowed-annotations/.kyverno-test/resource.yaml new file mode 100644 index 000000000..a4183a5e2 --- /dev/null +++ b/other-cel/allowed-annotations/.kyverno-test/resource.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + annotations: + fluxcd.io/bat: flap + corp.com/bar: baz + somethingsimple: else +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: registry.corp/sdf3vhadfa:1.28 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 + annotations: + fluxcd.io/dog: bark + corp.com/bar: baz + somethingsimple: else +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: registry.corp/sdf3vhadfa:1.28 +--- \ No newline at end of file diff --git a/other-cel/allowed-annotations/allowed-annotations.yaml b/other-cel/allowed-annotations/allowed-annotations.yaml new file mode 100644 index 000000000..f41c976fa --- /dev/null +++ b/other-cel/allowed-annotations/allowed-annotations.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-annotations + annotations: + policies.kyverno.io/title: Allowed Annotations + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: Pod, Annotation + policies.kyverno.io/description: >- + Rather than creating a deny list of annotations, it may be more useful + to invert that list and create an allow list which then denies any others. + This policy demonstrates how to allow two annotations with a specific key + name of fluxcd.io/ while denying others that do not meet the pattern. +spec: + validationFailureAction: audit + background: true + rules: + - name: allowed-fluxcd-annotations + match: + any: + - resources: + kinds: + - Pod + validate: + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + deny: + conditions: + all: + - key: "{{ request.object.metadata.annotations.keys(@)[?contains(@, 'fluxcd.io/')] }}" + operator: AnyNotIn + value: + - fluxcd.io/cow + - fluxcd.io/dog \ No newline at end of file diff --git a/other-cel/allowed-annotations/artifacthub-pkg.yml b/other-cel/allowed-annotations/artifacthub-pkg.yml new file mode 100644 index 000000000..5d9eff405 --- /dev/null +++ b/other-cel/allowed-annotations/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: allowed-annotations +version: 1.0.0 +displayName: Allowed Annotations +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + Rather than creating a deny list of annotations, it may be more useful to invert that list and create an allow list which then denies any others. This policy demonstrates how to allow two annotations with a specific key name of fluxcd.io/ while denying others that do not meet the pattern. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/allowed-annotations/allowed-annotations.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Rather than creating a deny list of annotations, it may be more useful to invert that list and create an allow list which then denies any others. This policy demonstrates how to allow two annotations with a specific key name of fluxcd.io/ while denying others that do not meet the pattern. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod, Annotation" +digest: b210e6f51fdf0e8bf5e3c463cf60d5cf890bdfa8b27d899d6947a5bef3709e62 From 694bee53312df00c9a500714ab75dcdab749a5f3 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 17 Mar 2024 14:09:45 +0000 Subject: [PATCH 02/42] convert allowed-annotations to cel Signed-off-by: Chandan-DK --- .../allowed-annotations.yaml | 28 +++++++++---------- .../allowed-annotations/artifacthub-pkg.yml | 16 ++++++----- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/other-cel/allowed-annotations/allowed-annotations.yaml b/other-cel/allowed-annotations/allowed-annotations.yaml index f41c976fa..6832fa2d1 100644 --- a/other-cel/allowed-annotations/allowed-annotations.yaml +++ b/other-cel/allowed-annotations/allowed-annotations.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: allowed-annotations annotations: - policies.kyverno.io/title: Allowed Annotations - policies.kyverno.io/category: Other + policies.kyverno.io/title: Allowed Annotations in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod, Annotation policies.kyverno.io/description: >- Rather than creating a deny list of annotations, it may be more useful @@ -16,7 +16,7 @@ metadata: This policy demonstrates how to allow two annotations with a specific key name of fluxcd.io/ while denying others that do not meet the pattern. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: allowed-fluxcd-annotations @@ -26,12 +26,10 @@ spec: kinds: - Pod validate: - message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. - deny: - conditions: - all: - - key: "{{ request.object.metadata.annotations.keys(@)[?contains(@, 'fluxcd.io/')] }}" - operator: AnyNotIn - value: - - fluxcd.io/cow - - fluxcd.io/dog \ No newline at end of file + cel: + expressions: + - expression: >- + !has(object.metadata.annotations) || + object.metadata.annotations.all(annotation, !annotation.contains('fluxcd.io/') || annotation in ['fluxcd.io/cow', 'fluxcd.io/dog']) + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + diff --git a/other-cel/allowed-annotations/artifacthub-pkg.yml b/other-cel/allowed-annotations/artifacthub-pkg.yml index 5d9eff405..e549978d1 100644 --- a/other-cel/allowed-annotations/artifacthub-pkg.yml +++ b/other-cel/allowed-annotations/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: allowed-annotations +name: allowed-annotations-cel version: 1.0.0 -displayName: Allowed Annotations -createdAt: "2023-04-10T20:30:03.000Z" +displayName: Allowed Annotations in CEL expressions description: >- Rather than creating a deny list of annotations, it may be more useful to invert that list and create an allow list which then denies any others. This policy demonstrates how to allow two annotations with a specific key name of fluxcd.io/ while denying others that do not meet the pattern. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/allowed-annotations/allowed-annotations.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/allowed-annotations/allowed-annotations.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Rather than creating a deny list of annotations, it may be more useful to invert that list and create an allow list which then denies any others. This policy demonstrates how to allow two annotations with a specific key name of fluxcd.io/ while denying others that do not meet the pattern. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Annotation" -digest: b210e6f51fdf0e8bf5e3c463cf60d5cf890bdfa8b27d899d6947a5bef3709e62 +digest: c917791b2d807cd00117591ba8fa05e7453aa3a8e0c9c1a8d20165ac63150e0c +createdAt: "2024-03-17T14:04:46Z" + From 17544e1c9133d083edd748dd59c9692fb6c9dddf Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Mon, 18 Mar 2024 16:33:35 +0000 Subject: [PATCH 03/42] add CI test for directories starting with a in other-cel folder Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 969021712..d51c3924b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -53,6 +53,7 @@ jobs: - ^other$/^re[c-q] - ^other$/^res - ^other$/^[s-z] + - ^other-cel$/^a - ^pod-security$ - ^pod-security-cel$ - ^psa$ From d479769cde39ffec0b5affef4de06440b539fe2e Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 19 Mar 2024 11:30:43 +0000 Subject: [PATCH 04/42] copy allowed-pod-priorities Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 44 ++++++++++ .../.chainsaw-test/cm.yaml | 8 ++ .../.chainsaw-test/ns.yaml | 9 ++ .../.chainsaw-test/pc.yaml | 31 +++++++ .../.chainsaw-test/pod-bad.yaml | 21 +++++ .../.chainsaw-test/pod-good.yaml | 51 +++++++++++ .../.chainsaw-test/podcontroller-bad.yaml | 79 +++++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 79 +++++++++++++++++ .../.chainsaw-test/priorityClass.yaml | 7 ++ .../.kyverno-test/kyverno-test.yaml | 28 ++++++ .../.kyverno-test/resource.yaml | 52 +++++++++++ .../.kyverno-test/values.yaml | 25 ++++++ .../allowed-pod-priorities.yaml | 86 +++++++++++++++++++ .../artifacthub-pkg.yml | 21 +++++ 15 files changed, 547 insertions(+) create mode 100755 other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml create mode 100644 other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml create mode 100644 other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml create mode 100644 other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml create mode 100644 other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml create mode 100644 other-cel/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/allowed-pod-priorities/.kyverno-test/resource.yaml create mode 100644 other-cel/allowed-pod-priorities/.kyverno-test/values.yaml create mode 100644 other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml create mode 100644 other-cel/allowed-pod-priorities/artifacthub-pkg.yml diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..5bf922bad --- /dev/null +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-podpriorities +status: + ready: true diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..d44e134c5 --- /dev/null +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,44 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: allowed-pod-priorities +spec: + steps: + - name: step-01 + try: + - apply: + file: cm.yaml + - apply: + file: ns.yaml + - apply: + file: pc.yaml + - apply: + file: ../allowed-pod-priorities.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: allowed-podpriorities + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml new file mode 100644 index 000000000..66090e8de --- /dev/null +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + pod-priority-ns: "[\"high\",\"medium\",\"low\"]" + no-priority-ns: foo +kind: ConfigMap +metadata: + name: allowed-pod-priorities + namespace: default \ No newline at end of file diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..a15a1d3a8 --- /dev/null +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pod-priority-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: no-priority-ns \ No newline at end of file diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml new file mode 100644 index 000000000..d45539655 --- /dev/null +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml @@ -0,0 +1,31 @@ +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: high +value: 1000000 +globalDefault: false +description: "This priority class should be used for XYZ service pods only." +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: medium +value: 500000 +globalDefault: false +description: "This priority class should be used for XYZ service pods only." +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: low +value: 100000 +globalDefault: false +description: "This priority class should be used for XYZ service pods only." +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: foo +value: 100000 +globalDefault: false +description: "This priority class should be used for XYZ service pods only." \ No newline at end of file diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..c94fdd994 --- /dev/null +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + namespace: pod-priority-ns +spec: + containers: + - name: pod01 + image: busybox:1.35 + priorityClassName: foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 + namespace: no-priority-ns +spec: + containers: + - name: pod01 + image: busybox:1.35 + priorityClassName: low \ No newline at end of file diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..962082c47 --- /dev/null +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml @@ -0,0 +1,51 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 + namespace: pod-priority-ns +spec: + containers: + - name: pod01 + image: busybox:1.35 + priorityClassName: high +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 + namespace: pod-priority-ns +spec: + containers: + - name: pod01 + image: busybox:1.35 + priorityClassName: low +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: pod01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 + namespace: no-priority-ns +spec: + containers: + - name: pod01 + image: busybox:1.35 + priorityClassName: foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: pod01 + image: busybox:1.35 + priorityClassName: low \ No newline at end of file diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..4c0ae45ee --- /dev/null +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 + namespace: pod-priority-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + priorityClassName: foo + containers: + - name: bb-01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment02 + namespace: pod-priority-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + priorityClassName: foo + containers: + - name: bb-01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 + namespace: pod-priority-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + priorityClassName: med + containers: + - name: bb-01 + image: kyverno + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 + namespace: pod-priority-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + priorityClassName: foo + containers: + - name: bb-01 + image: kyverno + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..2c3d6c0c0 --- /dev/null +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 + namespace: pod-priority-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + priorityClassName: high + containers: + - name: bb-01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 + namespace: no-priority-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + priorityClassName: foo + containers: + - name: bb-01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 + namespace: pod-priority-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + priorityClassName: medium + containers: + - name: bb-01 + image: kyverno + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 + namespace: no-priority-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + priorityClassName: foo + containers: + - name: bb-01 + image: kyverno + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml new file mode 100644 index 000000000..36967fa20 --- /dev/null +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml @@ -0,0 +1,7 @@ +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: high-priority +value: 1000000 +globalDefault: false +description: "This priority class should be used for XYZ service pods only." \ No newline at end of file diff --git a/other-cel/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml b/other-cel/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..3ca64a787 --- /dev/null +++ b/other-cel/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,28 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: allowed-podpriorities +policies: +- ../allowed-pod-priorities.yaml +resources: +- resource.yaml +results: +- kind: Deployment + policy: allowed-podpriorities + resources: + - mydeploy + result: fail + rule: validate-pod-priority +- kind: CronJob + policy: allowed-podpriorities + resources: + - hello + result: pass + rule: validate-pod-priority-cronjob +- kind: Pod + policy: allowed-podpriorities + resources: + - myapp-pod + result: pass + rule: validate-pod-priority-pods +variables: values.yaml diff --git a/other-cel/allowed-pod-priorities/.kyverno-test/resource.yaml b/other-cel/allowed-pod-priorities/.kyverno-test/resource.yaml new file mode 100644 index 000000000..389e055f0 --- /dev/null +++ b/other-cel/allowed-pod-priorities/.kyverno-test/resource.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + env: test +spec: + containers: + - name: nginx + image: nginx + imagePullPolicy: IfNotPresent + priorityClassName: high-priority + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy +spec: + replicas: 1 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - image: nginx:latest + name: nginx + priorityClassName: critical-priority + +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: hello + namespace: production +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox + imagePullPolicy: IfNotPresent + restartPolicy: OnFailure + priorityClassName: low-priority + diff --git a/other-cel/allowed-pod-priorities/.kyverno-test/values.yaml b/other-cel/allowed-pod-priorities/.kyverno-test/values.yaml new file mode 100644 index 000000000..6dbab6e10 --- /dev/null +++ b/other-cel/allowed-pod-priorities/.kyverno-test/values.yaml @@ -0,0 +1,25 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +policies: +- name: allowed-podpriorities + rules: + - name: validate-pod-priority-pods + values: + podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: default + - name: validate-pod-priority + values: + podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: default + - name: validate-pod-priority-cronjob + values: + podprioritydict.data.production: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: production + - name: autogen-validate-pod-priority-pods + values: + podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: default + - name: autogen-cronjob-validate-pod-priority-pods + values: + podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: default diff --git a/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml b/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml new file mode 100644 index 000000000..d8e79a14e --- /dev/null +++ b/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml @@ -0,0 +1,86 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-podpriorities + annotations: + policies.kyverno.io/title: Allowed Pod Priorities + policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. + In certain cases where not all users in a cluster are trusted, a malicious user could create Pods + at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy + checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable + PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not + among them, the Pod is blocked. +spec: + validationFailureAction: audit + background: true + rules: + - name: validate-pod-priority + context: + - name: podprioritydict + configMap: + name: allowed-pod-priorities + namespace: default + match: + any: + - resources: + kinds: + - Deployment + - DaemonSet + - StatefulSet + - Job + validate: + message: >- + The Pod PriorityClass {{ request.object.spec.template.spec.priorityClassName }} is not in the list + of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}. + deny: + conditions: + any: + - key: "{{ request.object.spec.template.spec.priorityClassName }}" + operator: AnyNotIn + value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' + - name: validate-pod-priority-pods + context: + - name: podprioritydict + configMap: + name: allowed-pod-priorities + namespace: default + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + The Pod PriorityClass {{ request.object.spec.priorityClassName }} is not in the list + of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}. + deny: + conditions: + any: + - key: "{{ request.object.spec.priorityClassName || '' }}" + operator: AnyNotIn + value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' + - name: validate-pod-priority-cronjob + context: + - name: podprioritydict + configMap: + name: allowed-pod-priorities + namespace: default + match: + any: + - resources: + kinds: + - CronJob + validate: + message: >- + The Pod PriorityClass {{ request.object.spec.jobTemplate.spec.template.spec.priorityClassName }} is not in the list + of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}. + deny: + conditions: + any: + - key: "{{ request.object.spec.jobTemplate.spec.template.spec.priorityClassName }}" + operator: AnyNotIn + value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' diff --git a/other-cel/allowed-pod-priorities/artifacthub-pkg.yml b/other-cel/allowed-pod-priorities/artifacthub-pkg.yml new file mode 100644 index 000000000..9f01f1dcf --- /dev/null +++ b/other-cel/allowed-pod-priorities/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: allowed-pod-priorities +version: 1.0.0 +displayName: Allowed Pod Priorities +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. In certain cases where not all users in a cluster are trusted, a malicious user could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/allowed-pod-priorities/allowed-pod-priorities.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. In certain cases where not all users in a cluster are trusted, a malicious user could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Pod" +digest: dfee34072f20005571e9d91d5f6f34a13b0874332196641ea43e67c7da1a4a1a From d88f1f0a29bfc646d788ed11583a211be99f9fa7 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 19 Mar 2024 17:21:33 +0000 Subject: [PATCH 05/42] convert allowed-pod-priorities to cel Signed-off-by: Chandan-DK --- .../.chainsaw-test/cm.yaml | 2 +- .../.kyverno-test/kyverno-test.yaml | 28 ----- .../.kyverno-test/resource.yaml | 52 --------- .../.kyverno-test/values.yaml | 25 ---- .../allowed-pod-priorities.yaml | 107 +++++++++++------- .../artifacthub-pkg.yml | 14 ++- 6 files changed, 72 insertions(+), 156 deletions(-) delete mode 100644 other-cel/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml delete mode 100644 other-cel/allowed-pod-priorities/.kyverno-test/resource.yaml delete mode 100644 other-cel/allowed-pod-priorities/.kyverno-test/values.yaml diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml index 66090e8de..7b931d2d4 100644 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - pod-priority-ns: "[\"high\",\"medium\",\"low\"]" + pod-priority-ns: "high, medium, low" no-priority-ns: foo kind: ConfigMap metadata: diff --git a/other-cel/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml b/other-cel/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 3ca64a787..000000000 --- a/other-cel/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: allowed-podpriorities -policies: -- ../allowed-pod-priorities.yaml -resources: -- resource.yaml -results: -- kind: Deployment - policy: allowed-podpriorities - resources: - - mydeploy - result: fail - rule: validate-pod-priority -- kind: CronJob - policy: allowed-podpriorities - resources: - - hello - result: pass - rule: validate-pod-priority-cronjob -- kind: Pod - policy: allowed-podpriorities - resources: - - myapp-pod - result: pass - rule: validate-pod-priority-pods -variables: values.yaml diff --git a/other-cel/allowed-pod-priorities/.kyverno-test/resource.yaml b/other-cel/allowed-pod-priorities/.kyverno-test/resource.yaml deleted file mode 100644 index 389e055f0..000000000 --- a/other-cel/allowed-pod-priorities/.kyverno-test/resource.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod - labels: - env: test -spec: - containers: - - name: nginx - image: nginx - imagePullPolicy: IfNotPresent - priorityClassName: high-priority - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mydeploy -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - image: nginx:latest - name: nginx - priorityClassName: critical-priority - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: hello - namespace: production -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello - image: busybox - imagePullPolicy: IfNotPresent - restartPolicy: OnFailure - priorityClassName: low-priority - diff --git a/other-cel/allowed-pod-priorities/.kyverno-test/values.yaml b/other-cel/allowed-pod-priorities/.kyverno-test/values.yaml deleted file mode 100644 index 6dbab6e10..000000000 --- a/other-cel/allowed-pod-priorities/.kyverno-test/values.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Values -policies: -- name: allowed-podpriorities - rules: - - name: validate-pod-priority-pods - values: - podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' - request.namespace: default - - name: validate-pod-priority - values: - podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' - request.namespace: default - - name: validate-pod-priority-cronjob - values: - podprioritydict.data.production: '["high-priority", "moderate-priority", "low-priority"]' - request.namespace: production - - name: autogen-validate-pod-priority-pods - values: - podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' - request.namespace: default - - name: autogen-cronjob-validate-pod-priority-pods - values: - podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' - request.namespace: default diff --git a/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml b/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml index d8e79a14e..ec48d59a9 100644 --- a/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml +++ b/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml @@ -3,9 +3,10 @@ kind: ClusterPolicy metadata: name: allowed-podpriorities annotations: - policies.kyverno.io/title: Allowed Pod Priorities - policies.kyverno.io/category: Sample - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/title: Allowed Pod Priorities in CEL expressions + policies.kyverno.io/category: Sample in CEL + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. @@ -15,15 +16,10 @@ metadata: PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-pod-priority - context: - - name: podprioritydict - configMap: - name: allowed-pod-priorities - namespace: default match: any: - resources: @@ -33,54 +29,77 @@ spec: - StatefulSet - Job validate: - message: >- - The Pod PriorityClass {{ request.object.spec.template.spec.priorityClassName }} is not in the list - of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}. - deny: - conditions: - any: - - key: "{{ request.object.spec.template.spec.priorityClassName }}" - operator: AnyNotIn - value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' - - name: validate-pod-priority-pods - context: - - name: podprioritydict - configMap: + cel: + paramKind: + apiVersion: v1 + kind: ConfigMap + paramRef: name: allowed-pod-priorities namespace: default + parameterNotFoundAction: Deny + variables: + - name: namespaceName + expression: "namespaceObject.metadata.name" + - name: priorities + expression: "variables.namespaceName in params.data ? params.data[variables.namespaceName].split(', ') : []" + expressions: + - expression: "variables.priorities == [] || object.spec.template.spec.priorityClassName in variables.priorities" + messageExpression: >- + 'The Pod PriorityClass ' + object.spec.template.spec.priorityClassName + + ' is not in the list of the following PriorityClasses allowed in this Namespace: ' + + params.data[variables.namespaceName]" + + - name: validate-pod-priority-pods match: any: - resources: kinds: - Pod validate: - message: >- - The Pod PriorityClass {{ request.object.spec.priorityClassName }} is not in the list - of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}. - deny: - conditions: - any: - - key: "{{ request.object.spec.priorityClassName || '' }}" - operator: AnyNotIn - value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' - - name: validate-pod-priority-cronjob - context: - - name: podprioritydict - configMap: + cel: + paramKind: + apiVersion: v1 + kind: ConfigMap + paramRef: name: allowed-pod-priorities namespace: default + parameterNotFoundAction: Deny + variables: + - name: namespaceName + expression: "namespaceObject.metadata.name" + - name: priorities + expression: "variables.namespaceName in params.data ? params.data[variables.namespaceName].split(', ') : []" + expressions: + - expression: "variables.priorities == [] || object.spec.priorityClassName in variables.priorities" + messageExpression: >- + 'The Pod PriorityClass ' + object.spec.priorityClassName + + ' is not in the list of the following PriorityClasses allowed in this Namespace: ' + + params.data[variables.namespaceName] + + - name: validate-pod-priority-cronjob match: any: - resources: kinds: - CronJob validate: - message: >- - The Pod PriorityClass {{ request.object.spec.jobTemplate.spec.template.spec.priorityClassName }} is not in the list - of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}. - deny: - conditions: - any: - - key: "{{ request.object.spec.jobTemplate.spec.template.spec.priorityClassName }}" - operator: AnyNotIn - value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' + cel: + paramKind: + apiVersion: v1 + kind: ConfigMap + paramRef: + name: allowed-pod-priorities + namespace: default + parameterNotFoundAction: Deny + variables: + - name: namespaceName + expression: "namespaceObject.metadata.name" + - name: priorities + expression: "variables.namespaceName in params.data ? params.data[variables.namespaceName].split(', ') : []" + expressions: + - expression: "variables.priorities == [] || object.spec.jobTemplate.spec.template.spec.priorityClassName in variables.priorities" + messageExpression: >- + 'The Pod PriorityClass ' + object.spec.jobTemplate.spec.template.spec.priorityClassName + + ' is not in the list of the following PriorityClasses allowed in this Namespace: ' + + params.data[variables.namespaceName] + diff --git a/other-cel/allowed-pod-priorities/artifacthub-pkg.yml b/other-cel/allowed-pod-priorities/artifacthub-pkg.yml index 9f01f1dcf..212307ca0 100644 --- a/other-cel/allowed-pod-priorities/artifacthub-pkg.yml +++ b/other-cel/allowed-pod-priorities/artifacthub-pkg.yml @@ -1,21 +1,23 @@ -name: allowed-pod-priorities +name: allowed-pod-priorities-cel version: 1.0.0 -displayName: Allowed Pod Priorities -createdAt: "2023-04-10T20:30:03.000Z" +displayName: Allowed Pod Priorities in CEL expressions description: >- A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. In certain cases where not all users in a cluster are trusted, a malicious user could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/allowed-pod-priorities/allowed-pod-priorities.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. In certain cases where not all users in a cluster are trusted, a malicious user could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample" + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: dfee34072f20005571e9d91d5f6f34a13b0874332196641ea43e67c7da1a4a1a +digest: 50c7c13763d4e4f60c07b2b2be53fe821a8901f65349a2b9f4f516b76513e229 +createdAt: "2024-03-19T17:20:47Z" From 72522308f1af81eae7c34a683e3266842c5b3a00 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 20 Mar 2024 08:21:36 +0000 Subject: [PATCH 06/42] copy block-ephemeral-containers Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../.chainsaw-test/chainsaw-test.yaml | 51 +++++++++++++++++++ .../.chainsaw-test/ns.yaml | 4 ++ .../.chainsaw-test/pod.yaml | 45 ++++++++++++++++ .../.chainsaw-test/podcontrollers.yaml | 25 +++++++++ .../artifacthub-pkg.yml | 22 ++++++++ .../block-ephemeral-containers.yaml | 32 ++++++++++++ 7 files changed, 185 insertions(+) create mode 100755 other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml create mode 100644 other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml create mode 100644 other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml create mode 100644 other-cel/block-ephemeral-containers/artifacthub-pkg.yml create mode 100644 other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..1a9877928 --- /dev/null +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + ready: true diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..cd7effb22 --- /dev/null +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,51 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: block-ephemeral-containers +spec: + steps: + - name: step-01 + try: + - apply: + file: ../block-ephemeral-containers.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: block-ephemeral-containers + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - apply: + file: pod.yaml + - apply: + file: podcontrollers.yaml + - name: step-03 + try: + - script: + content: if kubectl debug -it pod01 --image=busybox:1.35 --target=busybox + -n block-ephemeral-ns; then exit 1; else exit 0; fi; + - script: + content: if kubectl debug -it pod02 --image=busybox:1.35 --target=busybox02 + -n block-ephemeral-ns; then exit 1; else exit 0; fi; + - script: + content: if kubectl debug -it pod03 --image=busybox:1.35 --target=busybox + -n block-ephemeral-ns; then exit 1; else exit 0; fi; + - script: + content: if kubectl debug -it $(kubectl get po -n block-ephemeral-ns | grep + deployment01 | awk '{print $1}') --image=busybox:1.35 --target=bb -n block-ephemeral-ns; + then exit 1; else exit 0; fi; + - name: step-98 + try: + - script: + content: kubectl delete deployments --all --force --grace-period=0 -n block-ephemeral-ns + - script: + content: kubectl delete pods --all --force --grace-period=0 -n block-ephemeral-ns diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..617129b70 --- /dev/null +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: block-ephemeral-ns \ No newline at end of file diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml new file mode 100644 index 000000000..df553857f --- /dev/null +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 + namespace: block-ephemeral-ns +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "300"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod02 + namespace: block-ephemeral-ns +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "300"] + - name: busybox02 + image: busybox:1.35 + command: ["sleep", "300"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod03 + namespace: block-ephemeral-ns +spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + command: ["sleep", "300"] + - name: busybox02-init + image: busybox:1.35 + command: ["sleep", "300"] + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "300"] + - name: busybox02 + image: busybox:1.35 + command: ["sleep", "300"] \ No newline at end of file diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml new file mode 100644 index 000000000..5213371c9 --- /dev/null +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: deployment01 + namespace: block-ephemeral-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb + image: busybox:1.35 + command: ["sleep", "300"] + - name: bb2 + image: busybox:1.35 + command: ["sleep", "300"] \ No newline at end of file diff --git a/other-cel/block-ephemeral-containers/artifacthub-pkg.yml b/other-cel/block-ephemeral-containers/artifacthub-pkg.yml new file mode 100644 index 000000000..cc77acc0c --- /dev/null +++ b/other-cel/block-ephemeral-containers/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: block-ephemeral-containers +version: 1.0.0 +displayName: Block Ephemeral Containers +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-ephemeral-containers/block-ephemeral-containers.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: a49007b59da49fb5d9551a5d9874a091036d3413dfe263924645c64d2aa9d415 diff --git a/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml b/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml new file mode 100644 index 000000000..ee7ae46dd --- /dev/null +++ b/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + policies.kyverno.io/title: Block Ephemeral Containers + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the + `kubectl debug` functionality and attach a temporary container to an existing Pod. + This may potentially be used to gain access to unauthorized information executing inside + one or more containers in that Pod. This policy blocks the use of ephemeral containers. +spec: + validationFailureAction: audit + background: true + rules: + - name: block-ephemeral-containers + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Ephemeral (debug) containers are not permitted." + pattern: + spec: + X(ephemeralContainers): "null" \ No newline at end of file From 9d45ca08b5196c87b0a08e8a49a61a0e29c135d9 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 20 Mar 2024 08:35:27 +0000 Subject: [PATCH 07/42] convert block-ephemeral-containers to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++------- .../block-ephemeral-containers.yaml | 21 ++++++++++--------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/other-cel/block-ephemeral-containers/artifacthub-pkg.yml b/other-cel/block-ephemeral-containers/artifacthub-pkg.yml index cc77acc0c..6457e474a 100644 --- a/other-cel/block-ephemeral-containers/artifacthub-pkg.yml +++ b/other-cel/block-ephemeral-containers/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: block-ephemeral-containers +name: block-ephemeral-containers-cel version: 1.0.0 -displayName: Block Ephemeral Containers -createdAt: "2023-04-10T20:30:03.000Z" +displayName: Block Ephemeral Containers in CEL expressions description: >- Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/block-ephemeral-containers/block-ephemeral-containers.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: a49007b59da49fb5d9551a5d9874a091036d3413dfe263924645c64d2aa9d415 +digest: 13da34209be549d9904eb9142840242db2ae000b1935e8c3c84d23368886fab9 +createdAt: "2024-03-20T08:34:56Z" diff --git a/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml b/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml index ee7ae46dd..a9223784c 100644 --- a/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml +++ b/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: block-ephemeral-containers annotations: - policies.kyverno.io/title: Block Ephemeral Containers - policies.kyverno.io/category: Other + policies.kyverno.io/title: Block Ephemeral Containers in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the @@ -16,7 +16,7 @@ metadata: This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: block-ephemeral-containers @@ -26,7 +26,8 @@ spec: kinds: - Pod validate: - message: "Ephemeral (debug) containers are not permitted." - pattern: - spec: - X(ephemeralContainers): "null" \ No newline at end of file + cel: + expressions: + - expression: "!has(object.spec.ephemeralContainers)" + message: "Ephemeral (debug) containers are not permitted." + From ea63ef290aa89ea1df847d1d1c26f28b5dc7a0ef Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 20 Mar 2024 08:37:52 +0000 Subject: [PATCH 08/42] add CI test for directories starting with b in other-cel folder Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d51c3924b..3196cc5d4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -54,6 +54,7 @@ jobs: - ^other$/^res - ^other$/^[s-z] - ^other-cel$/^a + - ^other-cel$/^b - ^pod-security$ - ^pod-security-cel$ - ^psa$ From 8baf31d1c18a466e4992570627fa90d4aa28b4c4 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 21 Mar 2024 13:07:27 +0000 Subject: [PATCH 09/42] copy check-env-vars Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 ++++++++ .../.chainsaw-test/podcontrollers-bad.yaml | 59 ++++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 59 ++++++++++++ .../.chainsaw-test/pods-bad.yaml | 92 +++++++++++++++++++ .../.chainsaw-test/pods-good.yaml | 47 ++++++++++ .../.kyverno-test/kyverno-test.yaml | 22 +++++ .../.kyverno-test/resource.yaml | 35 +++++++ other-cel/check-env-vars/artifacthub-pkg.yml | 22 +++++ other-cel/check-env-vars/check-env-vars.yaml | 36 ++++++++ 10 files changed, 416 insertions(+) create mode 100755 other-cel/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/check-env-vars/.chainsaw-test/pods-good.yaml create mode 100644 other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/check-env-vars/.kyverno-test/resource.yaml create mode 100644 other-cel/check-env-vars/artifacthub-pkg.yml create mode 100644 other-cel/check-env-vars/check-env-vars.yaml diff --git a/other-cel/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..a1a66e266 --- /dev/null +++ b/other-cel/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-env-vars +status: + ready: true diff --git a/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml b/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..81223c1fa --- /dev/null +++ b/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: check-env-vars +spec: + steps: + - name: step-01 + try: + - apply: + file: ../check-env-vars.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: check-env-vars + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml diff --git a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..6b1056a69 --- /dev/null +++ b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + env: + - name: DISABLE_OPA + value: "true" + - name: foo + value: bar + - name: busybox02 + image: busybox:1.35 + env: + - name: foo + value: bar + - name: DISABLE_OPA + value: "true" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + env: + - name: DISABLE_OPA + value: "true" + - name: foo + value: bar + - name: busybox02 + image: busybox:1.35 + env: + - name: foo + value: bar + - name: DISABLE_OPA + value: "true" + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..91e7d8b6e --- /dev/null +++ b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + env: + - name: DISABLE_OPA + value: "false" + - name: foo + value: bar + - name: busybox02 + image: busybox:1.35 + env: + - name: foo + value: bar + - name: DISABLE_OPA + value: "false" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + env: + - name: DISABLE_OPA + value: "false" + - name: foo + value: bar + - name: busybox02 + image: busybox:1.35 + env: + - name: foo + value: bar + - name: DISABLE_OPA + value: "false" + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml b/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..6712da27d --- /dev/null +++ b/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,92 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + run: busybox + name: badpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: DISABLE_OPA + value: "true" +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + run: busybox + name: badpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: foo + value: bar + - name: DISABLE_OPA + value: "true" + - image: busybox:1.35 + name: busybox02 + env: + - name: DISABLE_OPA + value: "true" + - name: foo + value: bar +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + run: busybox + name: badpod03 +spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: foo + value: bar + - image: busybox:1.35 + name: busybox02 + env: + - name: foo + value: bar + - name: DISABLE_OPA + value: "true" +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + run: busybox + name: badpod04 +spec: + containers: + - image: busybox:1.35 + name: busybox + - image: busybox:1.35 + name: busybox02 + env: + - name: DISABLE_OPA + value: "true" +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + run: busybox + name: badpod05 +spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: DISABLE_OPA + value: "false" + - image: busybox:1.35 + name: busybox02 + env: + - name: DISABLE_OPA + value: "true" \ No newline at end of file diff --git a/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml b/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..0fe74a3b0 --- /dev/null +++ b/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + run: busybox + name: goodpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: DISABLE_OPA + value: "false" +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + run: busybox + name: goodpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: foo + value: bar + - name: DISABLE_OPA + value: "false" + - image: busybox:1.35 + name: busybox02 + env: + - name: foo + value: bar +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + run: busybox + name: goodpod03 +spec: + containers: + - image: busybox:1.35 + name: busybox + - image: busybox:1.35 + name: busybox02 \ No newline at end of file diff --git a/other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml b/other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..95ea8d9f6 --- /dev/null +++ b/other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,22 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: opa-env +policies: +- ../check-env-vars.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: check-env-vars + resources: + - pod-with-opa-enabled + result: fail + rule: check-disable-opa +- kind: Pod + policy: check-env-vars + resources: + - pod-with-opa-disabled + - pod-without-opa-env + result: pass + rule: check-disable-opa diff --git a/other-cel/check-env-vars/.kyverno-test/resource.yaml b/other-cel/check-env-vars/.kyverno-test/resource.yaml new file mode 100644 index 000000000..86b8239de --- /dev/null +++ b/other-cel/check-env-vars/.kyverno-test/resource.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-opa-disabled + namespace: myservice +spec: + containers: + - env: + - name: DISABLE_OPA + value: "false" + image: quay.io/sdase/sdase-version-collector + name: myservice +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-opa-enabled + namespace: myservice +spec: + containers: + - env: + - name: DISABLE_OPA + value: "true" + image: quay.io/sdase/sdase-version-collector + name: myservice +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-without-opa-env + namespace: myservice +spec: + containers: + - image: quay.io/sdase/sdase-version-collector + name: myservice diff --git a/other-cel/check-env-vars/artifacthub-pkg.yml b/other-cel/check-env-vars/artifacthub-pkg.yml new file mode 100644 index 000000000..39e1edba3 --- /dev/null +++ b/other-cel/check-env-vars/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: check-env-vars +version: 1.0.0 +displayName: Check Environment Variables +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + Environment variables control many aspects of a container's execution and are often the source of many different configuration settings. Being able to ensure that the value of a specific environment variable either is or is not set to a specific string is useful to maintain such controls. This policy checks every container to ensure that if the `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-env-vars/check-env-vars.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Environment variables control many aspects of a container's execution and are often the source of many different configuration settings. Being able to ensure that the value of a specific environment variable either is or is not set to a specific string is useful to maintain such controls. This policy checks every container to ensure that if the `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "Pod" +digest: a3bb61fb5b7cc8a92a9c8522432cb2ca580e0ee9dd5fcf58bfb50da0577691de diff --git a/other-cel/check-env-vars/check-env-vars.yaml b/other-cel/check-env-vars/check-env-vars.yaml new file mode 100644 index 000000000..773e78d8b --- /dev/null +++ b/other-cel/check-env-vars/check-env-vars.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-env-vars + annotations: + policies.kyverno.io/severity: medium + policies.kyverno.io/title: Check Environment Variables + policies.kyverno.io/category: Other + policies.kyverno.io/subject: Pod + kyverno.io/kubernetes-version: "1.24" + kyverno.io/kyverno-version: 1.8.2 + policies.kyverno.io/description: >- + Environment variables control many aspects of a container's execution and are + often the source of many different configuration settings. Being able to ensure that + the value of a specific environment variable either is or is not set to a specific string + is useful to maintain such controls. This policy checks every container to ensure that if the + `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`. +spec: + background: true + validationFailureAction: audit + rules: + - name: check-disable-opa + match: + any: + - resources: + kinds: + - Pod + validate: + message: "DISABLE_OPA must not be set to true." + pattern: + spec: + containers: + - name: "*" + =(env): + - (name): DISABLE_OPA + value: "!true" \ No newline at end of file From e9f2716d1671e3bdeb18f587b5252edba0ba80e9 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 21 Mar 2024 13:32:50 +0000 Subject: [PATCH 10/42] convert check-env-vars to cel Signed-off-by: Chandan-DK --- other-cel/check-env-vars/artifacthub-pkg.yml | 15 ++++++------ other-cel/check-env-vars/check-env-vars.yaml | 24 +++++++++----------- 2 files changed, 19 insertions(+), 20 deletions(-) diff --git a/other-cel/check-env-vars/artifacthub-pkg.yml b/other-cel/check-env-vars/artifacthub-pkg.yml index 39e1edba3..ae636c042 100644 --- a/other-cel/check-env-vars/artifacthub-pkg.yml +++ b/other-cel/check-env-vars/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: check-env-vars +name: check-env-vars-cel version: 1.0.0 -displayName: Check Environment Variables -createdAt: "2023-04-10T20:30:03.000Z" +displayName: Check Environment Variables in CEL expressions description: >- Environment variables control many aspects of a container's execution and are often the source of many different configuration settings. Being able to ensure that the value of a specific environment variable either is or is not set to a specific string is useful to maintain such controls. This policy checks every container to ensure that if the `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-env-vars/check-env-vars.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/check-env-vars/check-env-vars.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Environment variables control many aspects of a container's execution and are often the source of many different configuration settings. Being able to ensure that the value of a specific environment variable either is or is not set to a specific string is useful to maintain such controls. This policy checks every container to ensure that if the `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.24" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: a3bb61fb5b7cc8a92a9c8522432cb2ca580e0ee9dd5fcf58bfb50da0577691de +digest: 58857846eda62ba894f21d0dcea7e50a33a698038e66ebf1871c7b36922c5589 +createdAt: "2024-03-21T13:31:53Z" diff --git a/other-cel/check-env-vars/check-env-vars.yaml b/other-cel/check-env-vars/check-env-vars.yaml index 773e78d8b..1803c98f3 100644 --- a/other-cel/check-env-vars/check-env-vars.yaml +++ b/other-cel/check-env-vars/check-env-vars.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: check-env-vars annotations: + policies.kyverno.io/title: Check Environment Variables in CEL expressions policies.kyverno.io/severity: medium - policies.kyverno.io/title: Check Environment Variables - policies.kyverno.io/category: Other + policies.kyverno.io/category: Other in CEL policies.kyverno.io/subject: Pod - kyverno.io/kubernetes-version: "1.24" - kyverno.io/kyverno-version: 1.8.2 + kyverno.io/kubernetes-version: "1.26-1.27" + kyverno.io/kyverno-version: 1.11.0 policies.kyverno.io/description: >- Environment variables control many aspects of a container's execution and are often the source of many different configuration settings. Being able to ensure that @@ -17,7 +17,7 @@ metadata: `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`. spec: background: true - validationFailureAction: audit + validationFailureAction: Audit rules: - name: check-disable-opa match: @@ -26,11 +26,9 @@ spec: kinds: - Pod validate: - message: "DISABLE_OPA must not be set to true." - pattern: - spec: - containers: - - name: "*" - =(env): - - (name): DISABLE_OPA - value: "!true" \ No newline at end of file + cel: + expressions: + - expression: >- + !object.spec.containers.exists(container, has(container.env) && + container.env.exists(e, e.name == 'DISABLE_OPA' && e.value == 'true')) + message: "DISABLE_OPA must not be set to true." From 486cb1d0ad68f35f4278ab4f4c16c7b3763ac066 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 21 Mar 2024 13:34:09 +0000 Subject: [PATCH 11/42] copy check-serviceaccount-secrets Signed-off-by: Chandan-DK --- .../.chainsaw-test/bad-svc-account.yaml | 7 ++++ .../chainsaw-step-01-assert-1.yaml | 6 ++++ .../.chainsaw-test/chainsaw-test.yaml | 29 +++++++++++++++++ .../.chainsaw-test/good-svc-account.yaml | 5 +++ .../.kyverno-test/kyverno-test.yaml | 21 ++++++++++++ .../.kyverno-test/resource.yaml | 14 ++++++++ .../artifacthub-pkg.yaml | 32 +++++++++++++++++++ .../check-serviceaccount-secrets.yaml | 32 +++++++++++++++++++ 8 files changed, 146 insertions(+) create mode 100644 other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml create mode 100644 other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100644 other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml create mode 100644 other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/check-serviceaccount-secrets/.kyverno-test/resource.yaml create mode 100644 other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml create mode 100644 other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml new file mode 100644 index 000000000..a88b34090 --- /dev/null +++ b/other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bad-svc-account-02 + namespace: default +secrets: + - name: example-automated-thing-token-zyxwv \ No newline at end of file diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100644 index 000000000..3ff132b35 --- /dev/null +++ b/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-serviceaccount-secrets +status: + ready: true diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..7302d879d --- /dev/null +++ b/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-service-accounts +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../check-serviceaccount-secrets.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: good-svc-account.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-svc-account.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-serviceaccount-secrets \ No newline at end of file diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml new file mode 100644 index 000000000..72fe039cf --- /dev/null +++ b/other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: good-svc-account + namespace: default diff --git a/other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml b/other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..f2438227d --- /dev/null +++ b/other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: svc-name +policies: +- ../check-serviceaccount-secrets.yaml +resources: +- resource.yaml +results: +- kind: ServiceAccount + policy: check-serviceaccount-secrets + resources: + - bad-svc-account + result: fail + rule: deny-secrets +- kind: ServiceAccount + policy: check-serviceaccount-secrets + resources: + - good-svc-account + result: pass + rule: deny-secrets \ No newline at end of file diff --git a/other-cel/check-serviceaccount-secrets/.kyverno-test/resource.yaml b/other-cel/check-serviceaccount-secrets/.kyverno-test/resource.yaml new file mode 100644 index 000000000..e2d53b0dc --- /dev/null +++ b/other-cel/check-serviceaccount-secrets/.kyverno-test/resource.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bad-svc-account + namespace: default +secrets: + - name: build-robot-secret +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: good-svc-account + namespace: default + diff --git a/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml b/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml new file mode 100644 index 000000000..1913f5a68 --- /dev/null +++ b/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml @@ -0,0 +1,32 @@ +name: check-serviceaccount-secrets +version: 1.0.0 +displayName: Check Existence of Secrets in ServiceAccount +createdAt: "2024-03-02T06:14:33.000Z" +description: >- + Before version 1.24, Kubernetes automatically generated Secret-based tokens + for ServiceAccounts. To distinguish between automatically generated tokens + and manually created ones, Kubernetes checks for a reference from the + ServiceAccount's secrets field. If the Secret is referenced in the secrets + field, it is considered an auto-generated legacy token. These legacy Tokens can + be of security concern and should be audited. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + Before version 1.24, Kubernetes automatically generated Secret-based tokens + for ServiceAccounts. To distinguish between automatically generated tokens + and manually created ones, Kubernetes checks for a reference from the + ServiceAccount's secrets field. If the Secret is referenced in the secrets + field, it is considered an auto-generated legacy token. These legacy Tokens can + be of security concern and should be audited. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Security" + kyverno/kubernetesVersion: "1.27" + kyverno/subject: "Secret,ServiceAccount" +digest: 43f9a02f3d13e172bbd0a24cae3747184c407f7df2b777247625906e851eff7e diff --git a/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml b/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml new file mode 100644 index 000000000..6459a0f3a --- /dev/null +++ b/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-serviceaccount-secrets + annotations: + policies.kyverno.io/title: Check Long-Lived Secrets in ServiceAccounts + policies.kyverno.io/category: Security + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.11.1 + kyverno.io/kubernetes-version: "1.27" + policies.kyverno.io/subject: Secret,ServiceAccount + policies.kyverno.io/description: >- + Before version 1.24, Kubernetes automatically generated Secret-based tokens + for ServiceAccounts. To distinguish between automatically generated tokens + and manually created ones, Kubernetes checks for a reference from the + ServiceAccount's secrets field. If the Secret is referenced in the secrets + field, it is considered an auto-generated legacy token. These legacy Tokens can + be of security concern and should be audited. +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny-secrets + match: + any: + - resources: + kinds: + - ServiceAccount + validate: + message: "Long-lived API tokens are not allowed." + pattern: + X(secrets): \ No newline at end of file From ceece5c86443b137bd296e5660db004d9363830f Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 21 Mar 2024 13:49:05 +0000 Subject: [PATCH 12/42] convert check-serviceaccount-secrets to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yaml | 15 ++++++++------- .../check-serviceaccount-secrets.yaml | 15 ++++++++------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml b/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml index 1913f5a68..260e55393 100644 --- a/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml +++ b/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml @@ -1,7 +1,6 @@ -name: check-serviceaccount-secrets +name: check-serviceaccount-secrets-cel version: 1.0.0 -displayName: Check Existence of Secrets in ServiceAccount -createdAt: "2024-03-02T06:14:33.000Z" +displayName: Check Existence of Secrets in ServiceAccount in CEL expressions description: >- Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. To distinguish between automatically generated tokens @@ -11,11 +10,12 @@ description: >- be of security concern and should be audited. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. To distinguish between automatically generated tokens @@ -26,7 +26,8 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Security" - kyverno/kubernetesVersion: "1.27" + kyverno/category: "Security in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Secret,ServiceAccount" -digest: 43f9a02f3d13e172bbd0a24cae3747184c407f7df2b777247625906e851eff7e +digest: 8f7e2e179c7e7fe85cbc8cf05c0b7111301836260fc95f0c50cc35d1894a37c3 +createdAt: "2024-03-21T13:47:35Z" diff --git a/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml b/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml index 6459a0f3a..b3aab98e7 100644 --- a/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml +++ b/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml @@ -3,11 +3,11 @@ kind: ClusterPolicy metadata: name: check-serviceaccount-secrets annotations: - policies.kyverno.io/title: Check Long-Lived Secrets in ServiceAccounts - policies.kyverno.io/category: Security + policies.kyverno.io/title: Check Long-Lived Secrets in ServiceAccounts in CEL expressions + policies.kyverno.io/category: Security in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.1 - kyverno.io/kubernetes-version: "1.27" + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Secret,ServiceAccount policies.kyverno.io/description: >- Before version 1.24, Kubernetes automatically generated Secret-based tokens @@ -27,6 +27,7 @@ spec: kinds: - ServiceAccount validate: - message: "Long-lived API tokens are not allowed." - pattern: - X(secrets): \ No newline at end of file + cel: + expressions: + - expression: "!has(object.secrets)" + message: "Long-lived API tokens are not allowed." From d691d7bd35bc39d7738647d2f7beffb042073440 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 21 Mar 2024 13:52:07 +0000 Subject: [PATCH 13/42] add CI test for directories starting with b to d in other-cel folder Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3196cc5d4..9fbc75f9e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -54,7 +54,7 @@ jobs: - ^other$/^res - ^other$/^[s-z] - ^other-cel$/^a - - ^other-cel$/^b + - ^other-cel$/^[b-d] - ^pod-security$ - ^pod-security-cel$ - ^psa$ From f284a7354e1644d6ed6338fcd15e22ab10be3d9d Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 21 Mar 2024 14:17:11 +0000 Subject: [PATCH 14/42] copy check-node-for-cve-2022-0185 Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 22 +++++++++++ .../check-node-for-cve-2022-0185.yaml | 39 +++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml create mode 100644 other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml diff --git a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml new file mode 100644 index 000000000..7d4297f14 --- /dev/null +++ b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: check-node-for-cve-2022-0185 +version: 1.0.0 +displayName: Check Node for CVE-2022-0185 +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Node" +digest: ff64c6f2754226a75b84e88862af65ecc49ebad50cabd601687fd5770003f36a diff --git a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml new file mode 100644 index 000000000..a0a287a5e --- /dev/null +++ b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-kernel + annotations: + policies.kyverno.io/title: Check Node for CVE-2022-0185 + policies.kyverno.io/category: Other + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: Node + policies.kyverno.io/description: >- + Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. + The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. + For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. + This policy runs in background mode and flags an entry in the ClusterPolicyReport + if any Node is reporting one of the affected kernel versions. +spec: + validationFailureAction: audit + background: true + rules: + - name: kernel-validate + match: + any: + - resources: + kinds: + - Node + validate: + message: "Kernel is vulnerable to CVE-2022-0185." + deny: + conditions: + any: + - key: "{{request.object.status.nodeInfo.kernelVersion}}" + operator: Equals + value: "5.10.84-1" + - key: "{{request.object.status.nodeInfo.kernelVersion}}" + operator: Equals + value: "5.15.5-2" \ No newline at end of file From 4a892f6139d9eed59b32bb032234a83cd549db11 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 21 Mar 2024 14:21:27 +0000 Subject: [PATCH 15/42] convert check-node-for-cve-2022-0185 Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++----- .../check-node-for-cve-2022-0185.yaml | 27 ++++++++----------- 2 files changed, 19 insertions(+), 23 deletions(-) diff --git a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml index 7d4297f14..e52a59abf 100644 --- a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml +++ b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: check-node-for-cve-2022-0185 +name: check-node-for-cve-2022-0185-cel version: 1.0.0 -displayName: Check Node for CVE-2022-0185 -createdAt: "2023-04-10T20:30:03.000Z" +displayName: Check Node for CVE-2022-0185 in CEL expressions description: >- Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Node" -digest: ff64c6f2754226a75b84e88862af65ecc49ebad50cabd601687fd5770003f36a +digest: b422e9817a282dd268c90c7cb2f74a9e9760e8f8a654645bed1a9976581b8318 +createdAt: "2024-03-21T14:21:00Z" diff --git a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml index a0a287a5e..fd0fb0727 100644 --- a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml +++ b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: check-kernel annotations: - policies.kyverno.io/title: Check Node for CVE-2022-0185 - policies.kyverno.io/category: Other + policies.kyverno.io/title: Check Node for CVE-2022-0185 in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Node policies.kyverno.io/description: >- Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. @@ -17,7 +17,7 @@ metadata: This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: kernel-validate @@ -27,13 +27,8 @@ spec: kinds: - Node validate: - message: "Kernel is vulnerable to CVE-2022-0185." - deny: - conditions: - any: - - key: "{{request.object.status.nodeInfo.kernelVersion}}" - operator: Equals - value: "5.10.84-1" - - key: "{{request.object.status.nodeInfo.kernelVersion}}" - operator: Equals - value: "5.15.5-2" \ No newline at end of file + cel: + expressions: + - expression: "!(object.status.nodeInfo.kernelVersion in ['5.10.84-1', '5.15.5-2'])" + message: "Kernel is vulnerable to CVE-2022-0185." + \ No newline at end of file From 12cb8600cb3a94920d5c61932e7d1e1ba362b64d Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 22 Mar 2024 07:30:58 +0000 Subject: [PATCH 16/42] copy deny-secret-service-account-token-type Signed-off-by: Chandan-DK --- .../.chainsaw-test/bad-secret.yaml | 7 +++++ .../chainsaw-step-01-assert-1.yaml | 6 ++++ .../.chainsaw-test/chainsaw-test.yaml | 31 +++++++++++++++++++ .../.chainsaw-test/good-secret.yaml | 8 +++++ .../.kyverno-test/kyverno-test.yaml | 21 +++++++++++++ .../.kyverno-test/resource.yaml | 16 ++++++++++ .../artifacthub-pkg.yaml | 30 ++++++++++++++++++ ...eny-secret-service-account-token-type.yaml | 31 +++++++++++++++++++ 8 files changed, 150 insertions(+) create mode 100644 other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml create mode 100644 other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100644 other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml create mode 100644 other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml create mode 100644 other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml create mode 100644 other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml new file mode 100644 index 000000000..50e52dc34 --- /dev/null +++ b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: bad-secret + annotations: + kubernetes.io/service-account.name: build-robot +type: kubernetes.io/service-account-token \ No newline at end of file diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100644 index 000000000..20cbb81b1 --- /dev/null +++ b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-secret-service-account-token-type +status: + ready: true \ No newline at end of file diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..02a52cde3 --- /dev/null +++ b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: deny-secret-service-account-token-type +spec: + steps: + - name: step-01 + try: + - apply: + file: ../deny-secret-service-account-token-type.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: deny-secret-service-account-token-type + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: good-secret.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-secret.yaml diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml new file mode 100644 index 000000000..8ac352371 --- /dev/null +++ b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: good-secret +type: kubernetes.io/basic-auth +stringData: + username: admin + password: t0p-Secret \ No newline at end of file diff --git a/other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml b/other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..efb0e7773 --- /dev/null +++ b/other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: deny-secret-service-account-token-type +policies: +- ../deny-secret-service-account-token-type.yaml +resources: +- resource.yaml +results: +- kind: Secret + policy: deny-secret-service-account-token-type + resources: + - bad-secret + result: fail + rule: deny-secret-service-account-token-type +- kind: Secret + policy: deny-secret-service-account-token-type + resources: + - good-secret + result: pass + rule: deny-secret-service-account-token-type \ No newline at end of file diff --git a/other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml b/other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml new file mode 100644 index 000000000..c0667a55a --- /dev/null +++ b/other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Secret +metadata: + name: bad-secret + annotations: + kubernetes.io/service-account.name: build-robot +type: kubernetes.io/service-account-token +--- +apiVersion: v1 +kind: Secret +metadata: + name: good-secret +type: kubernetes.io/basic-auth +stringData: + username: admin + password: t0p-Secret \ No newline at end of file diff --git a/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml b/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml new file mode 100644 index 000000000..1cbd5e87b --- /dev/null +++ b/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml @@ -0,0 +1,30 @@ +name: deny-secret-service-account-token-type +version: 1.0.0 +displayName: Deny Secret Service Account Token Type +createdAt: "2024-01-07T20:14:33.000Z" +description: >- + Before version 1.24, Kubernetes automatically generated Secret-based tokens + for ServiceAccounts. When creating a Secret, you can specify its type using the + type field of the Secret resource . The type kubernetes.io/service-account-token + is used for legacy ServiceAccount tokens . These legacy Tokens can + be of security concern and should be audited. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + Before version 1.24, Kubernetes automatically generated Secret-based tokens + for ServiceAccounts. When creating a Secret, you can specify its type using the + type field of the Secret resource . The type kubernetes.io/service-account-token + is used for legacy ServiceAccount tokens . These legacy Tokens can + be of security concern and should be audited. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Security" + kyverno/kubernetesVersion: "1.27" + kyverno/subject: "Secret,ServiceAccount" +digest: 106c14ef2f33f3426e8bceaa47f696c7a9a10262955862f680497f3daa34c545 diff --git a/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml b/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml new file mode 100644 index 000000000..69059b7be --- /dev/null +++ b/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-secret-service-account-token-type + annotations: + policies.kyverno.io/title: Deny Secret Service Account Token Type + policies.kyverno.io/category: Security + kyverno.io/kubernetes-version: "1.27" + kyverno.io/kyverno-version: 1.11.1 + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Secret + policies.kyverno.io/description: >- + Before version 1.24, Kubernetes automatically generated Secret-based tokens + for ServiceAccounts. When creating a Secret, you can specify its type using the + type field of the Secret resource . The type kubernetes.io/service-account-token + is used for legacy ServiceAccount tokens . These legacy Tokens can + be of security concern and should be audited. +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny-secret-service-account-token-type + match: + any: + - resources: + kinds: + - Secret + validate: + message: "Secret ServiceAccount token type is not allowed." + pattern: + type: "!kubernetes.io/service-account-token" \ No newline at end of file From c6f9fbc3fd412e0a2d45de94306541e16737e979 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 22 Mar 2024 07:47:43 +0000 Subject: [PATCH 17/42] convert deny-secret-service-account-token-type to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yaml | 17 +++++++++-------- .../deny-secret-service-account-token-type.yaml | 16 +++++++++------- .../artifacthub-pkg.yaml | 2 +- 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml b/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml index 1cbd5e87b..54d22db56 100644 --- a/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml +++ b/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml @@ -1,7 +1,6 @@ -name: deny-secret-service-account-token-type +name: deny-secret-service-account-token-type-cel version: 1.0.0 -displayName: Deny Secret Service Account Token Type -createdAt: "2024-01-07T20:14:33.000Z" +displayName: Deny Secret Service Account Token Type in CEL expressions description: >- Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. When creating a Secret, you can specify its type using the @@ -10,11 +9,12 @@ description: >- be of security concern and should be audited. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. When creating a Secret, you can specify its type using the @@ -24,7 +24,8 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Security" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "Secret,ServiceAccount" -digest: 106c14ef2f33f3426e8bceaa47f696c7a9a10262955862f680497f3daa34c545 + kyverno/category: "Security in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Secret" +digest: 7fa15f20634f82aa6de4f5c10c449a2ef43919979671323ed571f0ce233ccefa +createdAt: "2024-03-22T07:40:19Z" \ No newline at end of file diff --git a/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml b/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml index 69059b7be..b51df4a0d 100644 --- a/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml +++ b/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml @@ -3,10 +3,10 @@ kind: ClusterPolicy metadata: name: deny-secret-service-account-token-type annotations: - policies.kyverno.io/title: Deny Secret Service Account Token Type - policies.kyverno.io/category: Security - kyverno.io/kubernetes-version: "1.27" - kyverno.io/kyverno-version: 1.11.1 + policies.kyverno.io/title: Deny Secret Service Account Token Type in CEL expressions + policies.kyverno.io/category: Security in CEL + kyverno.io/kubernetes-version: "1.26-1.27" + kyverno.io/kyverno-version: 1.11.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Secret policies.kyverno.io/description: >- @@ -26,6 +26,8 @@ spec: kinds: - Secret validate: - message: "Secret ServiceAccount token type is not allowed." - pattern: - type: "!kubernetes.io/service-account-token" \ No newline at end of file + cel: + expressions: + - expression: "object.type != 'kubernetes.io/service-account-token'" + message: "Secret ServiceAccount token type is not allowed." + \ No newline at end of file diff --git a/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml b/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml index 1cbd5e87b..1f9bc88b9 100644 --- a/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml +++ b/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml @@ -26,5 +26,5 @@ readme: | annotations: kyverno/category: "Security" kyverno/kubernetesVersion: "1.27" - kyverno/subject: "Secret,ServiceAccount" + kyverno/subject: "Secret" digest: 106c14ef2f33f3426e8bceaa47f696c7a9a10262955862f680497f3daa34c545 From a4ad77c6c9a16d687aa799bbb3151b6cd4be6a17 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 22 Mar 2024 07:57:44 +0000 Subject: [PATCH 18/42] copy disallow-all-secrets Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 38 ++++ .../.chainsaw-test/podcontrollers-bad.yaml | 189 ++++++++++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 175 ++++++++++++++++ .../.chainsaw-test/pods-bad.yaml | 96 +++++++++ .../.chainsaw-test/pods-good.yaml | 71 +++++++ .../.kyverno-test/kyverno-test.yaml | 48 +++++ .../.kyverno-test/resource.yaml | 52 +++++ .../disallow-all-secrets/artifacthub-pkg.yml | 22 ++ .../disallow-all-secrets.yaml | 79 ++++++++ 10 files changed, 776 insertions(+) create mode 100755 other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml create mode 100644 other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/disallow-all-secrets/.kyverno-test/resource.yaml create mode 100644 other-cel/disallow-all-secrets/artifacthub-pkg.yml create mode 100644 other-cel/disallow-all-secrets/disallow-all-secrets.yaml diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..1f88265d6 --- /dev/null +++ b/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: no-secrets +status: + ready: true diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..5c33a2547 --- /dev/null +++ b/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-all-secrets +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-all-secrets.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: no-secrets + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..eacd6b86e --- /dev/null +++ b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,189 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass + - image: busybox:1.35 + name: busybox-init + env: + - name: foo + value: bar + containers: + - image: busybox:1.35 + name: busybox + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + - image: busybox:1.35 + name: busybox-init + envFrom: + - secretRef: + name: foo + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - secretRef: + name: foo + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + - image: busybox:1.35 + name: busybox02 + volumes: + - name: foo-vol + secret: + secretName: foo-secret +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass + - image: busybox:1.35 + name: busybox-init + env: + - name: foo + value: bar + containers: + - image: busybox:1.35 + name: busybox + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass + - image: busybox:1.35 + name: busybox02 + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + - image: busybox:1.35 + name: busybox-init + envFrom: + - secretRef: + name: foo + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - secretRef: + name: foo + - image: busybox:1.35 + name: busybox02 + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - image: busybox:1.35 + name: busybox + - image: busybox:1.35 + name: busybox02 + volumes: + - name: foo-vol + secret: + secretName: foo-secret + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..093487967 --- /dev/null +++ b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,175 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + - image: busybox:1.35 + name: busybox-init + env: + - name: foo + value: bar + containers: + - image: busybox:1.35 + name: busybox + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + - image: busybox:1.35 + name: busybox-init + envFrom: + - configMapRef: + name: foo-bar + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - configMapRef: + name: foo-bar + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + - image: busybox:1.35 + name: busybox02 + volumes: + - name: foo-vol + emptyDir: + sizeLimit: 100Mi +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + - image: busybox:1.35 + name: busybox-init + env: + - name: foo + value: bar + containers: + - image: busybox:1.35 + name: busybox + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - image: busybox:1.35 + name: busybox02 + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + - image: busybox:1.35 + name: busybox-init + envFrom: + - configMapRef: + name: foo-bar + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - configMapRef: + name: foo-bar + - image: busybox:1.35 + name: busybox02 + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - image: busybox:1.35 + name: busybox + - image: busybox:1.35 + name: busybox02 + volumes: + - name: foo-vol + emptyDir: + sizeLimit: 100Mi + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..a82e4e342 --- /dev/null +++ b/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,96 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass + - image: busybox:1.35 + name: busybox-init + env: + - name: foo + value: bar + containers: + - image: busybox:1.35 + name: busybox + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + - image: busybox:1.35 + name: busybox-init + envFrom: + - secretRef: + name: foo + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - secretRef: + name: foo + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - image: busybox:1.35 + name: busybox + - image: busybox:1.35 + name: busybox02 + volumes: + - name: foo-vol + secret: + secretName: foo-secret +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + - image: busybox:1.35 + name: busybox-init + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - secretRef: + name: foo + - image: busybox:1.35 + name: busybox02 + volumes: + - name: foo-vol + secret: + secretName: foo-secret \ No newline at end of file diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..cb3bb22ee --- /dev/null +++ b/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml @@ -0,0 +1,71 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + - image: busybox:1.35 + name: busybox-init + env: + - name: foo + value: bar + containers: + - image: busybox:1.35 + name: busybox + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox-init + - image: busybox:1.35 + name: busybox02-init +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - image: busybox:1.35 + name: busybox02-init + - image: busybox:1.35 + name: busybox-init + envFrom: + - configMapRef: + name: foo-bar + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - configMapRef: + name: foo-bar + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - image: busybox:1.35 + name: busybox + - image: busybox:1.35 + name: busybox02 + volumes: + - name: foo-vol + emptyDir: + sizeLimit: 100Mi \ No newline at end of file diff --git a/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..a13374f4a --- /dev/null +++ b/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,48 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: no-secrets +policies: +- ../disallow-all-secrets.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: no-secrets + resources: + - default/secret-env-pod + result: fail + rule: secrets-not-from-env +- kind: Pod + policy: no-secrets + resources: + - default/secret-ref-pod + - default/secret-vol-pod + result: pass + rule: secrets-not-from-env +- kind: Pod + policy: no-secrets + resources: + - default/secret-ref-pod + result: fail + rule: secrets-not-from-envfrom +- kind: Pod + policy: no-secrets + resources: + - default/secret-env-pod + - default/secret-vol-pod + result: pass + rule: secrets-not-from-envfrom +- kind: Pod + policy: no-secrets + resources: + - default/secret-vol-pod + result: fail + rule: secrets-not-from-volumes +- kind: Pod + policy: no-secrets + resources: + - default/secret-env-pod + - default/secret-ref-pod + result: pass + rule: secrets-not-from-volumes diff --git a/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml b/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml new file mode 100644 index 000000000..3b58436ce --- /dev/null +++ b/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: Pod +metadata: + name: secret-env-pod +spec: + containers: + - name: mycontainer + image: redis + env: + - name: SECRET_USERNAME + valueFrom: + secretKeyRef: + name: mysecret + key: username + - name: SECRET_PASSWORD + valueFrom: + secretKeyRef: + name: mysecret + key: password + restartPolicy: Never + +--- +apiVersion: v1 +kind: Pod +metadata: + name: secret-ref-pod +spec: + containers: + - name: test-container + image: registry.k8s.io/busybox + command: [ "/bin/sh", "-c", "env" ] + envFrom: + - secretRef: + name: mysecret + restartPolicy: Never +--- +apiVersion: v1 +kind: Pod +metadata: + name: secret-vol-pod +spec: + volumes: + - name: secret-volume + secret: + secretName: mysecret + containers: + - name: test-container + image: registry.k8s.io/busybox + volumeMounts: + - name: secret-volume + readOnly: true + mountPath: "/etc/secret-volume" \ No newline at end of file diff --git a/other-cel/disallow-all-secrets/artifacthub-pkg.yml b/other-cel/disallow-all-secrets/artifacthub-pkg.yml new file mode 100644 index 000000000..92ff32dd3 --- /dev/null +++ b/other-cel/disallow-all-secrets/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: disallow-all-secrets +version: 1.0.0 +displayName: Disallow all Secrets +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + Secrets often contain sensitive information which not all Pods need consume. This policy disables the use of all Secrets in a Pod definition. In order to work effectively, this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/disallow-all-secrets/disallow-all-secrets.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Secrets often contain sensitive information which not all Pods need consume. This policy disables the use of all Secrets in a Pod definition. In order to work effectively, this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.21" + kyverno/subject: "Pod, Secret" +digest: db6b8711b4b551144ef86db8345468058c21b7355f3acd3116981a87a1d8827b diff --git a/other-cel/disallow-all-secrets/disallow-all-secrets.yaml b/other-cel/disallow-all-secrets/disallow-all-secrets.yaml new file mode 100644 index 000000000..a7a7bfd43 --- /dev/null +++ b/other-cel/disallow-all-secrets/disallow-all-secrets.yaml @@ -0,0 +1,79 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: no-secrets + annotations: + policies.kyverno.io/title: Disallow all Secrets + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Secret + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.21" + policies.kyverno.io/description: >- + Secrets often contain sensitive information which not all Pods need consume. + This policy disables the use of all Secrets in a Pod definition. In order to work effectively, + this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` + at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. +spec: + validationFailureAction: audit + rules: + - name: secrets-not-from-env + match: + any: + - resources: + kinds: + - Pod + validate: + message: "No Secrets from env." + pattern: + spec: + =(ephemeralContainers): + - name: "*" + =(env): + - =(valueFrom): + X(secretKeyRef): "null" + =(initContainers): + - name: "*" + =(env): + - =(valueFrom): + X(secretKeyRef): "null" + containers: + - name: "*" + =(env): + - =(valueFrom): + X(secretKeyRef): "null" + - name: secrets-not-from-envfrom + match: + any: + - resources: + kinds: + - Pod + validate: + message: "No Secrets from envFrom." + pattern: + spec: + =(ephemeralContainers): + - name: "*" + =(envFrom): + - X(secretRef): "null" + =(initContainers): + - name: "*" + =(envFrom): + - X(secretRef): "null" + containers: + - name: "*" + =(envFrom): + - X(secretRef): "null" + - name: secrets-not-from-volumes + match: + any: + - resources: + kinds: + - Pod + validate: + message: "No Secrets from volumes." + pattern: + spec: + =(volumes): + - X(secret): "null" From a31e41a07fe14634dc61a8a9ca363e9245f87ac8 Mon Sep 17 00:00:00 2001 From: michaelkot97 Date: Fri, 22 Mar 2024 13:41:13 +0200 Subject: [PATCH 19/42] Fixed sample policies to include more container types Signed-off-by: michaelkot97 --- other/add-default-resources/add-default-resources.yaml | 2 +- other/allowed-base-images/allowed-base-images.yaml | 2 +- psp-migration/add-apparmor/add-apparmor.yaml | 2 +- psp-migration/add-capabilities/add-capabilities.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/other/add-default-resources/add-default-resources.yaml b/other/add-default-resources/add-default-resources.yaml index e91d5d2ef..c3045562f 100644 --- a/other/add-default-resources/add-default-resources.yaml +++ b/other/add-default-resources/add-default-resources.yaml @@ -34,7 +34,7 @@ spec: - UPDATE mutate: foreach: - - list: "request.object.spec.containers[]" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" patchStrategicMerge: spec: containers: diff --git a/other/allowed-base-images/allowed-base-images.yaml b/other/allowed-base-images/allowed-base-images.yaml index 94bd2006f..edfc5cb82 100644 --- a/other/allowed-base-images/allowed-base-images.yaml +++ b/other/allowed-base-images/allowed-base-images.yaml @@ -41,7 +41,7 @@ spec: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. foreach: - - list: "request.object.spec.containers" + - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" context: - name: imageData imageRegistry: diff --git a/psp-migration/add-apparmor/add-apparmor.yaml b/psp-migration/add-apparmor/add-apparmor.yaml index 3f7b7c39f..ec49b1d49 100644 --- a/psp-migration/add-apparmor/add-apparmor.yaml +++ b/psp-migration/add-apparmor/add-apparmor.yaml @@ -34,7 +34,7 @@ spec: - UPDATE mutate: foreach: - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] patchStrategicMerge: metadata: annotations: diff --git a/psp-migration/add-capabilities/add-capabilities.yaml b/psp-migration/add-capabilities/add-capabilities.yaml index a82c8732c..be9ed33ca 100644 --- a/psp-migration/add-capabilities/add-capabilities.yaml +++ b/psp-migration/add-capabilities/add-capabilities.yaml @@ -32,7 +32,7 @@ spec: - UPDATE mutate: foreach: - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] preconditions: all: - key: SETFCAP @@ -42,7 +42,7 @@ spec: - path: /spec/containers/{{elementIndex}}/securityContext/capabilities/add/- op: add value: SETFCAP - - list: request.object.spec.containers[] + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] preconditions: all: - key: SETUID From 9a072886347ee62bf90dbd5a0fdacee11e72578e Mon Sep 17 00:00:00 2001 From: michaelkot97 Date: Fri, 22 Mar 2024 18:44:11 +0200 Subject: [PATCH 20/42] Changed sha256 for the policies Signed-off-by: michaelkot97 --- other/add-default-resources/artifacthub-pkg.yml | 2 +- other/allowed-base-images/artifacthub-pkg.yml | 2 +- psp-migration/add-apparmor/artifacthub-pkg.yml | 2 +- psp-migration/add-capabilities/artifacthub-pkg.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/other/add-default-resources/artifacthub-pkg.yml b/other/add-default-resources/artifacthub-pkg.yml index c8bf5ecb8..2c067222b 100644 --- a/other/add-default-resources/artifacthub-pkg.yml +++ b/other/add-default-resources/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.26" kyverno/subject: "Pod" -digest: 215f880a62b2c2e7627321623a22037af3f89e3e740372f02a40214da8163d79 +digest: 24a5a9e9a4ee1e83ab00bb85718a70ed0cd00d28506dbc1192ab3901bd0a6bcf diff --git a/other/allowed-base-images/artifacthub-pkg.yml b/other/allowed-base-images/artifacthub-pkg.yml index b3ecb2ba5..3f4a16eff 100644 --- a/other/allowed-base-images/artifacthub-pkg.yml +++ b/other/allowed-base-images/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: a0edbf4ddfa0a06c5334133357219b22af4272fc46a30489d9181e29fb38d014 +digest: be54e5cb7e03c6e7d786da1836612a228299b22d60443f8288420d6089372232 diff --git a/psp-migration/add-apparmor/artifacthub-pkg.yml b/psp-migration/add-apparmor/artifacthub-pkg.yml index dc6493807..2f0105163 100644 --- a/psp-migration/add-apparmor/artifacthub-pkg.yml +++ b/psp-migration/add-apparmor/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "PSP Migration" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod,Annotation" -digest: 082461dca2f21839c429ac792fa4c8cb7a6a86639580345e124e541bf595332d +digest: 0bb624dce200ace9730d9ddf85c5aca5f1fcf61759412a672155e176f24d9ac7 diff --git a/psp-migration/add-capabilities/artifacthub-pkg.yml b/psp-migration/add-capabilities/artifacthub-pkg.yml index a02197558..15444a747 100644 --- a/psp-migration/add-capabilities/artifacthub-pkg.yml +++ b/psp-migration/add-capabilities/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "PSP Migration" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 5f25e343611f412f21608223ee89a3684280045469ce1053bc7a3418ee57a1c4 +digest: 59ac7efa86868c57372662bbb60ed75ca0af8255df05cfebee2d2c8809f1ce2d From 80f241cfcbd36c8a620f4b51c355d3465c92f18f Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 23 Mar 2024 10:57:20 +0000 Subject: [PATCH 21/42] convert disallow-all-secrets to cel Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 31 +------ .../.kyverno-test/resource.yaml | 12 ++- .../disallow-all-secrets/artifacthub-pkg.yml | 15 ++-- .../disallow-all-secrets.yaml | 89 +++++++------------ 4 files changed, 52 insertions(+), 95 deletions(-) diff --git a/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml index a13374f4a..a2c61f16f 100644 --- a/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml +++ b/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml @@ -11,38 +11,13 @@ results: policy: no-secrets resources: - default/secret-env-pod - result: fail - rule: secrets-not-from-env -- kind: Pod - policy: no-secrets - resources: - default/secret-ref-pod - default/secret-vol-pod - result: pass - rule: secrets-not-from-env -- kind: Pod - policy: no-secrets - resources: - - default/secret-ref-pod - result: fail - rule: secrets-not-from-envfrom -- kind: Pod - policy: no-secrets - resources: - - default/secret-env-pod - - default/secret-vol-pod - result: pass - rule: secrets-not-from-envfrom -- kind: Pod - policy: no-secrets - resources: - - default/secret-vol-pod result: fail - rule: secrets-not-from-volumes + rule: secrets-not-from-env-envFrom-and-volumes - kind: Pod policy: no-secrets resources: - - default/secret-env-pod - - default/secret-ref-pod + - default/good-pod result: pass - rule: secrets-not-from-volumes + rule: secrets-not-from-env-envFrom-and-volumes diff --git a/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml b/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml index 3b58436ce..7be4f45d8 100644 --- a/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml +++ b/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml @@ -49,4 +49,14 @@ spec: volumeMounts: - name: secret-volume readOnly: true - mountPath: "/etc/secret-volume" \ No newline at end of file + mountPath: "/etc/secret-volume" +--- +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: test-container + image: registry.k8s.io/busybox + \ No newline at end of file diff --git a/other-cel/disallow-all-secrets/artifacthub-pkg.yml b/other-cel/disallow-all-secrets/artifacthub-pkg.yml index 92ff32dd3..02f3b5f32 100644 --- a/other-cel/disallow-all-secrets/artifacthub-pkg.yml +++ b/other-cel/disallow-all-secrets/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: disallow-all-secrets +name: disallow-all-secrets-cel version: 1.0.0 -displayName: Disallow all Secrets -createdAt: "2023-04-10T20:30:03.000Z" +displayName: Disallow all Secrets in CEL expressions description: >- Secrets often contain sensitive information which not all Pods need consume. This policy disables the use of all Secrets in a Pod definition. In order to work effectively, this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/disallow-all-secrets/disallow-all-secrets.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/disallow-all-secrets/disallow-all-secrets.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Secrets often contain sensitive information which not all Pods need consume. This policy disables the use of all Secrets in a Pod definition. In order to work effectively, this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.21" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Secret" -digest: db6b8711b4b551144ef86db8345468058c21b7355f3acd3116981a87a1d8827b +digest: 13bb4eb1babbb2a6c58887ef83bc61d8e4e6252d9353bf8e2ef92480f4798458 +createdAt: "2024-03-23T11:14:09Z" diff --git a/other-cel/disallow-all-secrets/disallow-all-secrets.yaml b/other-cel/disallow-all-secrets/disallow-all-secrets.yaml index a7a7bfd43..7c03b01c8 100644 --- a/other-cel/disallow-all-secrets/disallow-all-secrets.yaml +++ b/other-cel/disallow-all-secrets/disallow-all-secrets.yaml @@ -3,77 +3,48 @@ kind: ClusterPolicy metadata: name: no-secrets annotations: - policies.kyverno.io/title: Disallow all Secrets - policies.kyverno.io/category: Other + policies.kyverno.io/title: Disallow all Secrets in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Secret - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.21" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Secrets often contain sensitive information which not all Pods need consume. This policy disables the use of all Secrets in a Pod definition. In order to work effectively, this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. spec: - validationFailureAction: audit + validationFailureAction: Audit rules: - - name: secrets-not-from-env + - name: secrets-not-from-env-envFrom-and-volumes match: any: - resources: kinds: - Pod validate: - message: "No Secrets from env." - pattern: - spec: - =(ephemeralContainers): - - name: "*" - =(env): - - =(valueFrom): - X(secretKeyRef): "null" - =(initContainers): - - name: "*" - =(env): - - =(valueFrom): - X(secretKeyRef): "null" - containers: - - name: "*" - =(env): - - =(valueFrom): - X(secretKeyRef): "null" - - name: secrets-not-from-envfrom - match: - any: - - resources: - kinds: - - Pod - validate: - message: "No Secrets from envFrom." - pattern: - spec: - =(ephemeralContainers): - - name: "*" - =(envFrom): - - X(secretRef): "null" - =(initContainers): - - name: "*" - =(envFrom): - - X(secretRef): "null" - containers: - - name: "*" - =(envFrom): - - X(secretRef): "null" - - name: secrets-not-from-volumes - match: - any: - - resources: - kinds: - - Pod - validate: - message: "No Secrets from volumes." - pattern: - spec: - =(volumes): - - X(secret): "null" + cel: + variables: + - name: allContainers + expression: >- + object.spec.containers + + (has(object.spec.initContainers) ? object.spec.initContainers : []) + + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []) + expressions: + - expression: >- + variables.allContainers.all(container, + !has(container.env) || + container.env.all(env, !has(env.valueFrom) || !has(env.valueFrom.secretKeyRef))) + message: "No Secrets from env." + + - expression: >- + variables.allContainers.all(container, + !has(container.envFrom) || + container.envFrom.all(envFrom, !has(envFrom.secretRef))) + message: "No Secrets from envFrom." + + - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.secret))" + message: "No Secrets from volumes." + \ No newline at end of file From a76048b5184f522a525e7dd284d6786c569fcdf0 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 23 Mar 2024 11:40:34 +0000 Subject: [PATCH 22/42] copy disallow-localhost-services Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++++ .../.chainsaw-test/chainsaw-test.yaml | 31 +++++++++++++++++ .../.chainsaw-test/svc-bad.yaml | 7 ++++ .../.chainsaw-test/svc-good.yaml | 33 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 21 ++++++++++++ .../.kyverno-test/resource.yaml | 20 +++++++++++ .../artifacthub-pkg.yml | 21 ++++++++++++ .../disallow-localhost-services.yaml | 30 +++++++++++++++++ 8 files changed, 169 insertions(+) create mode 100755 other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml create mode 100644 other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml create mode 100644 other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/disallow-localhost-services/.kyverno-test/resource.yaml create mode 100644 other-cel/disallow-localhost-services/artifacthub-pkg.yml create mode 100644 other-cel/disallow-localhost-services/disallow-localhost-services.yaml diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..730a95d13 --- /dev/null +++ b/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: no-localhost-service +status: + ready: true diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..75151179b --- /dev/null +++ b/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-localhost-services +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-localhost-services.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: no-localhost-service + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: svc-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: svc-bad.yaml diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml new file mode 100644 index 000000000..e55c2d3a6 --- /dev/null +++ b/other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: badsvc01 +spec: + type: ExternalName + externalName: localhost \ No newline at end of file diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml new file mode 100644 index 000000000..d7cf54557 --- /dev/null +++ b/other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: nginx + name: goodsvc01 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 80 + selector: + run: nginx + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: goodsvc02 +spec: + type: NodePort + ports: + - port: 80 + targetPort: 80 + nodePort: 30007 +--- +apiVersion: v1 +kind: Service +metadata: + name: goodsvc03 +spec: + type: ExternalName + externalName: foo.bar.com \ No newline at end of file diff --git a/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..d4317b266 --- /dev/null +++ b/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: no-localhost-service +policies: +- ../disallow-localhost-services.yaml +resources: +- resource.yaml +results: +- kind: Service + policy: no-localhost-service + resources: + - my-service + result: fail + rule: no-localhost-service +- kind: Service + policy: no-localhost-service + resources: + - my-np-service + result: skip + rule: no-localhost-service diff --git a/other-cel/disallow-localhost-services/.kyverno-test/resource.yaml b/other-cel/disallow-localhost-services/.kyverno-test/resource.yaml new file mode 100644 index 000000000..bafd69c52 --- /dev/null +++ b/other-cel/disallow-localhost-services/.kyverno-test/resource.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: my-service +spec: + type: ExternalName + externalName: localhost +--- +apiVersion: v1 +kind: Service +metadata: + name: my-np-service +spec: + type: NodePort + selector: + app: MyApp + ports: + - port: 80 + targetPort: 80 + protocol: TCP \ No newline at end of file diff --git a/other-cel/disallow-localhost-services/artifacthub-pkg.yml b/other-cel/disallow-localhost-services/artifacthub-pkg.yml new file mode 100644 index 000000000..8ea37925d --- /dev/null +++ b/other-cel/disallow-localhost-services/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: disallow-localhost-services +version: 1.0.0 +displayName: Disallow Localhost ExternalName Services +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName if the externalName field refers to localhost. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/disallow-localhost-services/disallow-localhost-services.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName if the externalName field refers to localhost. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Service" +digest: f1cec7ef44c6b12a7cac8c077c2ddcbc4ef6bb2dd0945444de21052e00521d59 diff --git a/other-cel/disallow-localhost-services/disallow-localhost-services.yaml b/other-cel/disallow-localhost-services/disallow-localhost-services.yaml new file mode 100644 index 000000000..0c5123980 --- /dev/null +++ b/other-cel/disallow-localhost-services/disallow-localhost-services.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: no-localhost-service + annotations: + policies.kyverno.io/title: Disallow Localhost ExternalName Services + policies.kyverno.io/category: Sample + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Service + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + A Service of type ExternalName which points back to localhost can potentially be used to exploit + vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName + if the externalName field refers to localhost. +spec: + validationFailureAction: audit + background: true + rules: + - name: no-localhost-service + match: + any: + - resources: + kinds: + - Service + validate: + message: "Service of type ExternalName cannot point to localhost." + pattern: + spec: + (type): ExternalName + externalName: "!localhost" \ No newline at end of file From ec7e6b67f699cb14914b2c788af26ca33d2c0f35 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 23 Mar 2024 12:19:55 +0000 Subject: [PATCH 23/42] convert disallow-localhost-services to cel Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 2 +- .../artifacthub-pkg.yml | 14 ++++++++------ .../disallow-localhost-services.yaml | 19 ++++++++++--------- 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml index d4317b266..49d2f2b69 100644 --- a/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml +++ b/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml @@ -17,5 +17,5 @@ results: policy: no-localhost-service resources: - my-np-service - result: skip + result: pass rule: no-localhost-service diff --git a/other-cel/disallow-localhost-services/artifacthub-pkg.yml b/other-cel/disallow-localhost-services/artifacthub-pkg.yml index 8ea37925d..536ccc111 100644 --- a/other-cel/disallow-localhost-services/artifacthub-pkg.yml +++ b/other-cel/disallow-localhost-services/artifacthub-pkg.yml @@ -1,21 +1,23 @@ -name: disallow-localhost-services +name: disallow-localhost-services-cel version: 1.0.0 -displayName: Disallow Localhost ExternalName Services -createdAt: "2023-04-10T20:30:03.000Z" +displayName: Disallow Localhost ExternalName Services in CEL expressions description: >- A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName if the externalName field refers to localhost. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/disallow-localhost-services/disallow-localhost-services.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/disallow-localhost-services/disallow-localhost-services.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName if the externalName field refers to localhost. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample" + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Service" -digest: f1cec7ef44c6b12a7cac8c077c2ddcbc4ef6bb2dd0945444de21052e00521d59 +digest: e5c4679a38d53063daba829f97e43a3de8874b698f035674c885bdbe62bfe473 +createdAt: "2024-03-23T12:17:54Z" diff --git a/other-cel/disallow-localhost-services/disallow-localhost-services.yaml b/other-cel/disallow-localhost-services/disallow-localhost-services.yaml index 0c5123980..fc7461e05 100644 --- a/other-cel/disallow-localhost-services/disallow-localhost-services.yaml +++ b/other-cel/disallow-localhost-services/disallow-localhost-services.yaml @@ -3,17 +3,18 @@ kind: ClusterPolicy metadata: name: no-localhost-service annotations: - policies.kyverno.io/title: Disallow Localhost ExternalName Services - policies.kyverno.io/category: Sample + policies.kyverno.io/title: Disallow Localhost ExternalName Services in CEL expressions + policies.kyverno.io/category: Sample in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName if the externalName field refers to localhost. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: no-localhost-service @@ -23,8 +24,8 @@ spec: kinds: - Service validate: - message: "Service of type ExternalName cannot point to localhost." - pattern: - spec: - (type): ExternalName - externalName: "!localhost" \ No newline at end of file + cel: + expressions: + - expression: "object.spec.type != 'ExternalName' || object.spec.externalName != 'localhost'" + message: "Service of type ExternalName cannot point to localhost." + \ No newline at end of file From 2bcc5c37f15a5253f14971e23847890197343d32 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 24 Mar 2024 16:23:58 +0000 Subject: [PATCH 24/42] copy disallow-secrets-from-env-vars Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 38 +++++++ .../.chainsaw-test/podcontrollers-bad.yaml | 103 ++++++++++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 95 ++++++++++++++++ .../.chainsaw-test/pods-bad.yaml | 50 +++++++++ .../.chainsaw-test/pods-good.yaml | 40 +++++++ .../.kyverno-test/kyverno-test.yaml | 33 ++++++ .../.kyverno-test/resource.yaml | 35 ++++++ .../artifacthub-pkg.yml | 23 ++++ .../disallow-secrets-from-env-vars.yaml | 47 ++++++++ 10 files changed, 470 insertions(+) create mode 100755 other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml create mode 100644 other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml create mode 100644 other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml create mode 100644 other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..f8d45db5d --- /dev/null +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: secrets-not-from-env-vars +status: + ready: true diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..500d54752 --- /dev/null +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-secrets-from-env-vars +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-secrets-from-env-vars.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: secrets-not-from-env-vars + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..b624674c3 --- /dev/null +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,103 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass + - image: busybox:1.35 + name: busybox02 + env: + - name: foo + value: bar +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - secretRef: + name: foo + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass + - image: busybox:1.35 + name: busybox02 + env: + - name: foo + value: bar + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - secretRef: + name: foo + - image: busybox:1.35 + name: busybox02 + restartPolicy: OnFailures \ No newline at end of file diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..4c20ae23e --- /dev/null +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - configMapRef: + name: foo-bar + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - image: busybox:1.35 + name: busybox02 + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - configMapRef: + name: foo-bar + - image: busybox:1.35 + name: busybox02 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..f4c4db620 --- /dev/null +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox + - image: busybox:1.35 + name: busybox02 + envFrom: + - secretRef: + name: foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - secretRef: + name: foo + - image: busybox:1.35 + name: busybox02 + env: + - name: SECRET_BAD + valueFrom: + secretKeyRef: + name: foo + key: pass \ No newline at end of file diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..c6573bf3f --- /dev/null +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - image: busybox:1.35 + name: busybox02 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox-init + - image: busybox:1.35 + name: busybox02-init +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - image: busybox:1.35 + name: busybox + envFrom: + - configMapRef: + name: foo-bar + - image: busybox:1.35 + name: busybox02 \ No newline at end of file diff --git a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..c0211594a --- /dev/null +++ b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,33 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: secrets-not-from-env-vars +policies: +- ../disallow-secrets-from-env-vars.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: secrets-not-from-env-vars + resources: + - default/secret-env-pod + result: fail + rule: secrets-not-from-env-vars +- kind: Pod + policy: secrets-not-from-env-vars + resources: + - default/secret-ref-pod + result: pass + rule: secrets-not-from-env-vars +- kind: Pod + policy: secrets-not-from-env-vars + resources: + - default/secret-ref-pod + result: fail + rule: secrets-not-from-envfrom +- kind: Pod + policy: secrets-not-from-env-vars + resources: + - default/secret-env-pod + result: pass + rule: secrets-not-from-envfrom diff --git a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml new file mode 100644 index 000000000..031d77c99 --- /dev/null +++ b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Pod +metadata: + name: secret-env-pod +spec: + containers: + - name: mycontainer + image: redis + env: + - name: SECRET_USERNAME + valueFrom: + secretKeyRef: + name: mysecret + key: username + - name: SECRET_PASSWORD + valueFrom: + secretKeyRef: + name: mysecret + key: password + restartPolicy: Never + +--- +apiVersion: v1 +kind: Pod +metadata: + name: secret-ref-pod +spec: + containers: + - name: test-container + image: registry.k8s.io/busybox + command: [ "/bin/sh", "-c", "env" ] + envFrom: + - secretRef: + name: mysecret + restartPolicy: Never diff --git a/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml b/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml new file mode 100644 index 000000000..2e3ea7a57 --- /dev/null +++ b/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: disallow-secrets-from-env-vars +version: 1.0.0 +displayName: Disallow Secrets from Env Vars +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml + ``` +keywords: + - kyverno + - Sample + - EKS Best Practices +readme: | + Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample, EKS Best Practices" + kyverno/kubernetesVersion: "null" + kyverno/subject: "Pod, Secret" +digest: 79f059e745a1bd214bb91455e985bbb474f4b40590e871b6babaf60a9672b3c9 diff --git a/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml b/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml new file mode 100644 index 000000000..afc2c6b95 --- /dev/null +++ b/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml @@ -0,0 +1,47 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: secrets-not-from-env-vars + annotations: + policies.kyverno.io/title: Disallow Secrets from Env Vars + policies.kyverno.io/category: Sample, EKS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Secret + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/description: >- + Secrets used as environment variables containing sensitive information may, if not carefully controlled, + be printed in log output which could be visible to unauthorized people and captured in forwarding + applications. This policy disallows using Secrets as environment variables. +spec: + validationFailureAction: audit + background: true + rules: + - name: secrets-not-from-env-vars + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Secrets must be mounted as volumes, not as environment variables." + pattern: + spec: + containers: + - name: "*" + =(env): + - =(valueFrom): + X(secretKeyRef): "null" + - name: secrets-not-from-envfrom + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Secrets must not come from envFrom statements." + pattern: + spec: + containers: + - name: "*" + =(envFrom): + - X(secretRef): "null" \ No newline at end of file From 107816ea7003ca612dbe585a0df78bc6c73b52ac Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 24 Mar 2024 17:02:56 +0000 Subject: [PATCH 25/42] convert disallow-secrets-from-env-vars to cel Signed-off-by: Chandan-DK --- .../.chainsaw-test/podcontrollers-bad.yaml | 2 +- .../.kyverno-test/kyverno-test.yaml | 16 ++------ .../.kyverno-test/resource.yaml | 22 +++++++++++ .../artifacthub-pkg.yml | 15 ++++---- .../disallow-secrets-from-env-vars.yaml | 38 ++++++------------- 5 files changed, 46 insertions(+), 47 deletions(-) diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml index b624674c3..ac31368ed 100644 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml @@ -100,4 +100,4 @@ spec: name: foo - image: busybox:1.35 name: busybox02 - restartPolicy: OnFailures \ No newline at end of file + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml index c0211594a..c2a303dbe 100644 --- a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml @@ -11,23 +11,13 @@ results: policy: secrets-not-from-env-vars resources: - default/secret-env-pod + - default/secret-ref-pod result: fail rule: secrets-not-from-env-vars - kind: Pod policy: secrets-not-from-env-vars resources: - - default/secret-ref-pod + - default/good-pod result: pass rule: secrets-not-from-env-vars -- kind: Pod - policy: secrets-not-from-env-vars - resources: - - default/secret-ref-pod - result: fail - rule: secrets-not-from-envfrom -- kind: Pod - policy: secrets-not-from-env-vars - resources: - - default/secret-env-pod - result: pass - rule: secrets-not-from-envfrom + \ No newline at end of file diff --git a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml index 031d77c99..c13f1437a 100644 --- a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml @@ -33,3 +33,25 @@ spec: - secretRef: name: mysecret restartPolicy: Never +--- +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: test-container + image: registry.k8s.io/busybox + env: + - name: ENV_VAR_1 + value: "value1" + - name: ENV_VAR_2 + value: "value2" + volumeMounts: + - name: mysecret + mountPath: /mnt/mysecret + volumes: + - name: mysecret + secret: + secretName: mysecret + diff --git a/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml b/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml index 2e3ea7a57..279a23b62 100644 --- a/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml +++ b/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml @@ -1,23 +1,24 @@ -name: disallow-secrets-from-env-vars +name: disallow-secrets-from-env-vars-cel version: 1.0.0 -displayName: Disallow Secrets from Env Vars -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Disallow Secrets from Env Vars in CEL expressions description: >- Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml ``` keywords: - kyverno - Sample - EKS Best Practices + - CEL Expressions readme: | Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample, EKS Best Practices" - kyverno/kubernetesVersion: "null" + kyverno/category: "Sample, EKS Best Practices in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Secret" -digest: 79f059e745a1bd214bb91455e985bbb474f4b40590e871b6babaf60a9672b3c9 +digest: 7a8d2c6c16cc66744f7e274ed11d0065c1dc408644746c43effc25fb4261bb01 +createdAt: "2024-03-24T16:54:45Z" diff --git a/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml b/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml index afc2c6b95..e936f8c3e 100644 --- a/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml +++ b/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml @@ -3,17 +3,18 @@ kind: ClusterPolicy metadata: name: secrets-not-from-env-vars annotations: - policies.kyverno.io/title: Disallow Secrets from Env Vars - policies.kyverno.io/category: Sample, EKS Best Practices + policies.kyverno.io/title: Disallow Secrets from Env Vars in CEL expressions + policies.kyverno.io/category: Sample, EKS Best Practices in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Secret - kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: secrets-not-from-env-vars @@ -23,25 +24,10 @@ spec: kinds: - Pod validate: - message: "Secrets must be mounted as volumes, not as environment variables." - pattern: - spec: - containers: - - name: "*" - =(env): - - =(valueFrom): - X(secretKeyRef): "null" - - name: secrets-not-from-envfrom - match: - any: - - resources: - kinds: - - Pod - validate: - message: "Secrets must not come from envFrom statements." - pattern: - spec: - containers: - - name: "*" - =(envFrom): - - X(secretRef): "null" \ No newline at end of file + cel: + expressions: + - expression: "object.spec.containers.all(container, !has(container.env) || container.env.all(env, !has(env.valueFrom) || !has(env.valueFrom.secretKeyRef)))" + message: "Secrets must be mounted as volumes, not as environment variables." + - expression: "object.spec.containers.all(container, !has(container.envFrom) || container.envFrom.all(envFrom, !has(envFrom.secretRef)))" + message: "Secrets must not come from envFrom statements." + \ No newline at end of file From 548d80024cd3e5fdca060b281d0a5bfa2b841f35 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 26 Mar 2024 10:25:49 +0000 Subject: [PATCH 26/42] add ServiceAccount to the subject in annotations Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yaml | 4 ++-- .../deny-secret-service-account-token-type.yaml | 2 +- .../artifacthub-pkg.yaml | 4 ++-- .../deny-secret-service-account-token-type.yaml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml b/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml index 54d22db56..79870e861 100644 --- a/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml +++ b/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml @@ -26,6 +26,6 @@ readme: | annotations: kyverno/category: "Security in CEL" kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Secret" -digest: 7fa15f20634f82aa6de4f5c10c449a2ef43919979671323ed571f0ce233ccefa + kyverno/subject: "Secret, ServiceAccount" +digest: 16324f38031f70d4a971bde9673ca51e70455478b832a005cbb415ee901f5e56 createdAt: "2024-03-22T07:40:19Z" \ No newline at end of file diff --git a/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml b/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml index b51df4a0d..fbd371e1f 100644 --- a/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml +++ b/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml @@ -8,7 +8,7 @@ metadata: kyverno.io/kubernetes-version: "1.26-1.27" kyverno.io/kyverno-version: 1.11.0 policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Secret + policies.kyverno.io/subject: Secret, ServiceAccount policies.kyverno.io/description: >- Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. When creating a Secret, you can specify its type using the diff --git a/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml b/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml index 1f9bc88b9..ef11879ba 100644 --- a/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml +++ b/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml @@ -26,5 +26,5 @@ readme: | annotations: kyverno/category: "Security" kyverno/kubernetesVersion: "1.27" - kyverno/subject: "Secret" -digest: 106c14ef2f33f3426e8bceaa47f696c7a9a10262955862f680497f3daa34c545 + kyverno/subject: "Secret, ServiceAccount" +digest: 19a0b22cb870d6055ff3cd3e48a987ac1ef6f68ca773d840f4f7f606005859d9 diff --git a/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml b/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml index 69059b7be..899f0aef0 100644 --- a/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml +++ b/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml @@ -8,7 +8,7 @@ metadata: kyverno.io/kubernetes-version: "1.27" kyverno.io/kyverno-version: 1.11.1 policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Secret + policies.kyverno.io/subject: Secret, ServiceAccount policies.kyverno.io/description: >- Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. When creating a Secret, you can specify its type using the From 4cc921d8e527be57cbb934f587b4eab69d9ad8aa Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 27 Mar 2024 11:46:34 +0000 Subject: [PATCH 27/42] copy docker-socket-requires-label Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 ++++++++ .../.chainsaw-test/podcontrollers-bad.yaml | 95 ++++++++++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 97 +++++++++++++++++++ .../.chainsaw-test/pods-bad.yaml | 31 ++++++ .../.chainsaw-test/pods-good.yaml | 55 +++++++++++ .../.kyverno-test/kyverno-test.yaml | 29 ++++++ .../.kyverno-test/resource.yaml | 73 ++++++++++++++ .../artifacthub-pkg.yml | 22 +++++ .../docker-socket-requires-label.yaml | 36 +++++++ 10 files changed, 482 insertions(+) create mode 100755 other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml create mode 100644 other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml create mode 100644 other-cel/docker-socket-requires-label/artifacthub-pkg.yml create mode 100644 other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..e73d54241 --- /dev/null +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: docker-socket-check +status: + ready: true diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..583b43711 --- /dev/null +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: docker-socket-requires-label +spec: + steps: + - name: step-01 + try: + - apply: + file: ../docker-socket-requires-label.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: docker-socket-check + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..43d50e08b --- /dev/null +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + allow-docker: "false" + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: docker-vol + hostPath: + path: "/var/run/docker.sock" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: docker-vol + hostPath: + path: "/var/run/docker.sock" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + allow-docker: "false" + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: docker-vol + hostPath: + path: "/var/run/docker.sock" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: docker-vol + hostPath: + path: "/var/run/docker.sock" + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..a0275658f --- /dev/null +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,97 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + allow-docker: "true" + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: docker-vol + hostPath: + path: "/var/run/docker.sock" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + allow-docker: "false" + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: foo-vol + hostPath: + path: "/var/foo/bar" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + allow-docker: "true" + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: docker-vol + hostPath: + path: "/var/run/docker.sock" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + allow-docker: "false" + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: foo-vol + hostPath: + path: "/var/foo/bar" + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..c44eeaa2a --- /dev/null +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: docker-vol + hostPath: + path: "/var/run/docker.sock" +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + allow-docker: "false" + name: badpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: foo-vol + hostPath: + path: "/var/foo/bar" + - name: docker-vol + hostPath: + path: "/var/run/docker.sock" \ No newline at end of file diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..1860c831f --- /dev/null +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + allow-docker: "true" + name: goodpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + allow-docker: "false" + name: goodpod03 +spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: foo-vol + hostPath: + path: "/var/foo/bar" +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + allow-docker: "true" + name: goodpod04 +spec: + containers: + - image: busybox:1.35 + name: busybox + volumes: + - name: foo-vol + hostPath: + path: "/var/foo/bar" + - name: docker-vol + hostPath: + path: "/var/run/docker.sock" \ No newline at end of file diff --git a/other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml b/other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..6237feb66 --- /dev/null +++ b/other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,29 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: docker-socket-check +policies: +- ../docker-socket-requires-label.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: docker-socket-check + resources: + - nginx-bad-1 + - nginx-bad-2 + result: fail + rule: conditional-anchor-dockersock +- kind: Pod + policy: docker-socket-check + resources: + - nginx-allow-2 + result: pass + rule: conditional-anchor-dockersock +- kind: Pod + policy: docker-socket-check + resources: + - nginx-allow-1 + - nginx-allow-3 + result: skip + rule: conditional-anchor-dockersock diff --git a/other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml b/other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml new file mode 100644 index 000000000..0d121f481 --- /dev/null +++ b/other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml @@ -0,0 +1,73 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + run: nginx + name: nginx-allow-1 +spec: + containers: + - image: nothinghere + name: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + allow-docker: "true" + run: nginx + name: nginx-allow-2 +spec: + containers: + - image: nothinghere + name: nginx + volumes: + - hostPath: + path: /var/run/docker.sock + name: test +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + allow-docker: "false" + run: nginx + name: nginx-allow-3 +spec: + containers: + - image: nothinghere + name: nginx + volumes: + - hostPath: + path: /random/value + name: test +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + allow-docker: "false" + run: nginx + name: nginx-bad-1 +spec: + containers: + - image: nothinghere + name: nginx + volumes: + - hostPath: + path: /var/run/docker.sock + name: test +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + run: nginx + name: nginx-bad-2 +spec: + containers: + - image: nothinghere + name: nginx + volumes: + - hostPath: + path: /var/run/docker.sock + name: test diff --git a/other-cel/docker-socket-requires-label/artifacthub-pkg.yml b/other-cel/docker-socket-requires-label/artifacthub-pkg.yml new file mode 100644 index 000000000..d31b5d4c3 --- /dev/null +++ b/other-cel/docker-socket-requires-label/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: docker-socket-requires-label +version: 1.0.0 +displayName: Docker Socket Requires Label +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + Accessing a container engine's socket is for highly specialized use cases and should generally be disabled. If access must be granted, it should be done on an explicit basis. This policy requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set to `true`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/docker-socket-requires-label/docker-socket-requires-label.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Accessing a container engine's socket is for highly specialized use cases and should generally be disabled. If access must be granted, it should be done on an explicit basis. This policy requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set to `true`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: 58e37e4980fab8a47f937fffe55803136c1c5f8083ea33dd4915a6fc4c1d69de diff --git a/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml b/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml new file mode 100644 index 000000000..8760b1138 --- /dev/null +++ b/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: docker-socket-check + annotations: + policies.kyverno.io/title: Docker Socket Requires Label + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.8.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Accessing a container engine's socket is for highly specialized use cases and should generally + be disabled. If access must be granted, it should be done on an explicit basis. This policy + requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set + to `true`. +spec: + validationFailureAction: audit + background: true + rules: + - name: conditional-anchor-dockersock + match: + any: + - resources: + kinds: + - Pod + validate: + message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`." + pattern: + metadata: + labels: + allow-docker: "true" + (spec): + (volumes): + - (hostPath): + path: "/var/run/docker.sock" \ No newline at end of file From c410a45cc96774efb69adb4f6e544874e4c514df Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 27 Mar 2024 12:14:53 +0000 Subject: [PATCH 28/42] convert docker-socket-requires-label to cel Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 14 ++++----- .../artifacthub-pkg.yml | 15 +++++----- .../docker-socket-requires-label.yaml | 30 +++++++++---------- 3 files changed, 28 insertions(+), 31 deletions(-) diff --git a/other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml b/other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml index 6237feb66..bdcc535a5 100644 --- a/other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml +++ b/other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml @@ -13,17 +13,13 @@ results: - nginx-bad-1 - nginx-bad-2 result: fail - rule: conditional-anchor-dockersock -- kind: Pod - policy: docker-socket-check - resources: - - nginx-allow-2 - result: pass - rule: conditional-anchor-dockersock + rule: docker-socket-check - kind: Pod policy: docker-socket-check resources: - nginx-allow-1 + - nginx-allow-2 - nginx-allow-3 - result: skip - rule: conditional-anchor-dockersock + result: pass + rule: docker-socket-check + diff --git a/other-cel/docker-socket-requires-label/artifacthub-pkg.yml b/other-cel/docker-socket-requires-label/artifacthub-pkg.yml index d31b5d4c3..98b509851 100644 --- a/other-cel/docker-socket-requires-label/artifacthub-pkg.yml +++ b/other-cel/docker-socket-requires-label/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: docker-socket-requires-label +name: docker-socket-requires-label-cel version: 1.0.0 -displayName: Docker Socket Requires Label -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Docker Socket Requires Label in CEL expressions description: >- Accessing a container engine's socket is for highly specialized use cases and should generally be disabled. If access must be granted, it should be done on an explicit basis. This policy requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set to `true`. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/docker-socket-requires-label/docker-socket-requires-label.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Accessing a container engine's socket is for highly specialized use cases and should generally be disabled. If access must be granted, it should be done on an explicit basis. This policy requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set to `true`. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 58e37e4980fab8a47f937fffe55803136c1c5f8083ea33dd4915a6fc4c1d69de +digest: 6453788f2fd528fc85bc30881e012fa625bba4a92700af258b915ef3e9defb34 +createdAt: "2024-03-27T12:13:52Z" diff --git a/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml b/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml index 8760b1138..61bd69993 100644 --- a/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml +++ b/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml @@ -3,11 +3,11 @@ kind: ClusterPolicy metadata: name: docker-socket-check annotations: - policies.kyverno.io/title: Docker Socket Requires Label - policies.kyverno.io/category: Other + policies.kyverno.io/title: Docker Socket Requires Label in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.8.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Accessing a container engine's socket is for highly specialized use cases and should generally @@ -15,22 +15,22 @@ metadata: requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set to `true`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - - name: conditional-anchor-dockersock + - name: docker-socket-check match: any: - resources: kinds: - Pod validate: - message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`." - pattern: - metadata: - labels: - allow-docker: "true" - (spec): - (volumes): - - (hostPath): - path: "/var/run/docker.sock" \ No newline at end of file + cel: + variables: + - name: hasDockerSocket + expression: "has(object.spec.volumes) && object.spec.volumes.exists(volume, has(volume.hostPath) && volume.hostPath.path == '/var/run/docker.sock')" + - name: isAllowDockerLabelTrue + expression: "has(object.metadata.labels) && 'allow-docker' in object.metadata.labels && object.metadata.labels['allow-docker'] == 'true'" + expressions: + - expression: "!variables.hasDockerSocket || variables.isAllowDockerLabelTrue" + message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`." From f9af0009179138fa197313af8525c30e243097c1 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 27 Mar 2024 12:18:39 +0000 Subject: [PATCH 29/42] rename files for clarity Signed-off-by: Chandan-DK --- other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 20 files changed, 10 insertions(+), 10 deletions(-) rename other-cel/allowed-annotations/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/allowed-pod-priorities/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/block-ephemeral-containers/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/check-env-vars/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/check-serviceaccount-secrets/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/deny-secret-service-account-token-type/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/disallow-all-secrets/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/disallow-localhost-services/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/disallow-secrets-from-env-vars/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/docker-socket-requires-label/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) diff --git a/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml b/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml index 3c3e9bce9..a4c25fcfd 100755 --- a/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml index d44e134c5..dab7e146a 100755 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml @@ -25,7 +25,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml index cd7effb22..79e2a1fe4 100755 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml b/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml index 81223c1fa..78091c10b 100755 --- a/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml index 7302d879d..5b0df0a28 100644 --- a/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml @@ -10,7 +10,7 @@ spec: content: | sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../check-serviceaccount-secrets.yaml | kubectl create -f - - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml index 02a52cde3..7ddb34f91 100644 --- a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml index 5c33a2547..845434f8e 100755 --- a/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml index 75151179b..c8f4bd17b 100755 --- a/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml index 500d54752..31ffa4e26 100755 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml index 583b43711..ada8288d6 100755 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml From 4b38e95f25cc6f0729cd593822a5f5544e03bb5e Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 27 Mar 2024 16:51:43 +0000 Subject: [PATCH 30/42] use autogen for higher level controllers Signed-off-by: Chandan-DK --- .../allowed-pod-priorities.yaml | 58 ------------------- .../artifacthub-pkg.yml | 2 +- 2 files changed, 1 insertion(+), 59 deletions(-) diff --git a/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml b/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml index ec48d59a9..75e052899 100644 --- a/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml +++ b/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml @@ -20,36 +20,6 @@ spec: background: true rules: - name: validate-pod-priority - match: - any: - - resources: - kinds: - - Deployment - - DaemonSet - - StatefulSet - - Job - validate: - cel: - paramKind: - apiVersion: v1 - kind: ConfigMap - paramRef: - name: allowed-pod-priorities - namespace: default - parameterNotFoundAction: Deny - variables: - - name: namespaceName - expression: "namespaceObject.metadata.name" - - name: priorities - expression: "variables.namespaceName in params.data ? params.data[variables.namespaceName].split(', ') : []" - expressions: - - expression: "variables.priorities == [] || object.spec.template.spec.priorityClassName in variables.priorities" - messageExpression: >- - 'The Pod PriorityClass ' + object.spec.template.spec.priorityClassName + - ' is not in the list of the following PriorityClasses allowed in this Namespace: ' + - params.data[variables.namespaceName]" - - - name: validate-pod-priority-pods match: any: - resources: @@ -75,31 +45,3 @@ spec: 'The Pod PriorityClass ' + object.spec.priorityClassName + ' is not in the list of the following PriorityClasses allowed in this Namespace: ' + params.data[variables.namespaceName] - - - name: validate-pod-priority-cronjob - match: - any: - - resources: - kinds: - - CronJob - validate: - cel: - paramKind: - apiVersion: v1 - kind: ConfigMap - paramRef: - name: allowed-pod-priorities - namespace: default - parameterNotFoundAction: Deny - variables: - - name: namespaceName - expression: "namespaceObject.metadata.name" - - name: priorities - expression: "variables.namespaceName in params.data ? params.data[variables.namespaceName].split(', ') : []" - expressions: - - expression: "variables.priorities == [] || object.spec.jobTemplate.spec.template.spec.priorityClassName in variables.priorities" - messageExpression: >- - 'The Pod PriorityClass ' + object.spec.jobTemplate.spec.template.spec.priorityClassName + - ' is not in the list of the following PriorityClasses allowed in this Namespace: ' + - params.data[variables.namespaceName] - diff --git a/other-cel/allowed-pod-priorities/artifacthub-pkg.yml b/other-cel/allowed-pod-priorities/artifacthub-pkg.yml index 212307ca0..36dfa2485 100644 --- a/other-cel/allowed-pod-priorities/artifacthub-pkg.yml +++ b/other-cel/allowed-pod-priorities/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 50c7c13763d4e4f60c07b2b2be53fe821a8901f65349a2b9f4f516b76513e229 +digest: 5d29f810a32ed856fee1c51cbdc00bd84307f2e7c54f3991a5ec2a5d341bbf96 createdAt: "2024-03-19T17:20:47Z" From 3d0faf1f5c5b32b5d2dd6285f79bcbe22ead535f Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 27 Mar 2024 17:24:26 +0000 Subject: [PATCH 31/42] add kyverno tests for block-ephemeral-containers Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 25 +++++++ .../.kyverno-test/resource.yaml | 65 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 25 +++++++ .../.kyverno-test/resource.yaml | 65 +++++++++++++++++++ 4 files changed, 180 insertions(+) create mode 100644 other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml create mode 100644 other/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml create mode 100644 other/block-ephemeral-containers/.kyverno-test/resource.yaml diff --git a/other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml b/other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..84814cb06 --- /dev/null +++ b/other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,25 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: block-ephemeral-containers +policies: +- ../block-ephemeral-containers.yaml +resources: +- resource.yaml +results: +- policy: block-ephemeral-containers + rule: block-ephemeral-containers + resources: + - goodpod01 + - goodpod02 + - goodpod03 + kind: Pod + result: pass +- policy: block-ephemeral-containers + rule: block-ephemeral-containers + resources: + - badpod01 + - badpod02 + - badpod03 + kind: Pod + result: fail diff --git a/other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml b/other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml new file mode 100644 index 000000000..e641e696f --- /dev/null +++ b/other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml @@ -0,0 +1,65 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + ephemeralContainers: + - name: ephcontainer01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + ephemeralContainers: + - name: ephcontainer01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename + ephemeralContainers: + - name: ephcontainer01 + image: dummyimagename diff --git a/other/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml b/other/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..84814cb06 --- /dev/null +++ b/other/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,25 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: block-ephemeral-containers +policies: +- ../block-ephemeral-containers.yaml +resources: +- resource.yaml +results: +- policy: block-ephemeral-containers + rule: block-ephemeral-containers + resources: + - goodpod01 + - goodpod02 + - goodpod03 + kind: Pod + result: pass +- policy: block-ephemeral-containers + rule: block-ephemeral-containers + resources: + - badpod01 + - badpod02 + - badpod03 + kind: Pod + result: fail diff --git a/other/block-ephemeral-containers/.kyverno-test/resource.yaml b/other/block-ephemeral-containers/.kyverno-test/resource.yaml new file mode 100644 index 000000000..e641e696f --- /dev/null +++ b/other/block-ephemeral-containers/.kyverno-test/resource.yaml @@ -0,0 +1,65 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + ephemeralContainers: + - name: ephcontainer01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + ephemeralContainers: + - name: ephcontainer01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename + ephemeralContainers: + - name: ephcontainer01 + image: dummyimagename From 20563d9220eeb69a382fa41cd7c096c710b91239 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 28 Mar 2024 18:18:10 +0000 Subject: [PATCH 32/42] use autogen in allowed-pod-priorities kyverno policy Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 6 +-- .../.kyverno-test/resource.yaml | 2 +- .../.kyverno-test/values.yaml | 16 ++----- .../allowed-pod-priorities.yaml | 45 ------------------- .../artifacthub-pkg.yml | 2 +- 5 files changed, 9 insertions(+), 62 deletions(-) diff --git a/other/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml b/other/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml index 3ca64a787..cbafc79f4 100644 --- a/other/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml +++ b/other/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml @@ -16,13 +16,13 @@ results: - kind: CronJob policy: allowed-podpriorities resources: - - hello + - mycronjob result: pass - rule: validate-pod-priority-cronjob + rule: validate-pod-priority - kind: Pod policy: allowed-podpriorities resources: - myapp-pod result: pass - rule: validate-pod-priority-pods + rule: validate-pod-priority variables: values.yaml diff --git a/other/allowed-pod-priorities/.kyverno-test/resource.yaml b/other/allowed-pod-priorities/.kyverno-test/resource.yaml index 389e055f0..6e1aa5096 100644 --- a/other/allowed-pod-priorities/.kyverno-test/resource.yaml +++ b/other/allowed-pod-priorities/.kyverno-test/resource.yaml @@ -35,7 +35,7 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - name: hello + name: mycronjob namespace: production spec: schedule: "*/1 * * * *" diff --git a/other/allowed-pod-priorities/.kyverno-test/values.yaml b/other/allowed-pod-priorities/.kyverno-test/values.yaml index 6dbab6e10..b0696ce63 100644 --- a/other/allowed-pod-priorities/.kyverno-test/values.yaml +++ b/other/allowed-pod-priorities/.kyverno-test/values.yaml @@ -2,24 +2,16 @@ apiVersion: cli.kyverno.io/v1alpha1 kind: Values policies: - name: allowed-podpriorities - rules: - - name: validate-pod-priority-pods + resources: + - name: myapp-pod values: podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' request.namespace: default - - name: validate-pod-priority + - name: mydeploy values: podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' request.namespace: default - - name: validate-pod-priority-cronjob + - name: mycronjob values: podprioritydict.data.production: '["high-priority", "moderate-priority", "low-priority"]' request.namespace: production - - name: autogen-validate-pod-priority-pods - values: - podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' - request.namespace: default - - name: autogen-cronjob-validate-pod-priority-pods - values: - podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' - request.namespace: default diff --git a/other/allowed-pod-priorities/allowed-pod-priorities.yaml b/other/allowed-pod-priorities/allowed-pod-priorities.yaml index d8e79a14e..2d3ff6fdb 100644 --- a/other/allowed-pod-priorities/allowed-pod-priorities.yaml +++ b/other/allowed-pod-priorities/allowed-pod-priorities.yaml @@ -19,30 +19,6 @@ spec: background: true rules: - name: validate-pod-priority - context: - - name: podprioritydict - configMap: - name: allowed-pod-priorities - namespace: default - match: - any: - - resources: - kinds: - - Deployment - - DaemonSet - - StatefulSet - - Job - validate: - message: >- - The Pod PriorityClass {{ request.object.spec.template.spec.priorityClassName }} is not in the list - of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}. - deny: - conditions: - any: - - key: "{{ request.object.spec.template.spec.priorityClassName }}" - operator: AnyNotIn - value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' - - name: validate-pod-priority-pods context: - name: podprioritydict configMap: @@ -63,24 +39,3 @@ spec: - key: "{{ request.object.spec.priorityClassName || '' }}" operator: AnyNotIn value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' - - name: validate-pod-priority-cronjob - context: - - name: podprioritydict - configMap: - name: allowed-pod-priorities - namespace: default - match: - any: - - resources: - kinds: - - CronJob - validate: - message: >- - The Pod PriorityClass {{ request.object.spec.jobTemplate.spec.template.spec.priorityClassName }} is not in the list - of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}. - deny: - conditions: - any: - - key: "{{ request.object.spec.jobTemplate.spec.template.spec.priorityClassName }}" - operator: AnyNotIn - value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' diff --git a/other/allowed-pod-priorities/artifacthub-pkg.yml b/other/allowed-pod-priorities/artifacthub-pkg.yml index 9f01f1dcf..8e4de7306 100644 --- a/other/allowed-pod-priorities/artifacthub-pkg.yml +++ b/other/allowed-pod-priorities/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: dfee34072f20005571e9d91d5f6f34a13b0874332196641ea43e67c7da1a4a1a +digest: 23857e576e4bdd7558082cd538b771f6714dd5d9ba39e32b064517dd701b9be7 From 192245f042e3c50b11417c536f47ff949d904535 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 30 Mar 2024 17:49:29 +0000 Subject: [PATCH 33/42] add new lines at the end of files Signed-off-by: Chandan-DK --- .../allowed-annotations/.chainsaw-test/chainsaw-test.yaml | 1 + other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml | 3 ++- other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml | 3 ++- .../allowed-annotations/.chainsaw-test/podcontroller-bad.yaml | 3 ++- .../allowed-annotations/.chainsaw-test/podcontroller-good.yaml | 3 ++- other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml | 1 + other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml | 1 + other-cel/allowed-annotations/.kyverno-test/resource.yaml | 2 +- .../allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml | 1 + other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml | 3 ++- other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml | 3 ++- other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml | 3 ++- other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml | 3 ++- other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml | 3 ++- .../.chainsaw-test/podcontroller-bad.yaml | 3 ++- .../.chainsaw-test/podcontroller-good.yaml | 3 ++- .../allowed-pod-priorities/.chainsaw-test/policy-ready.yaml | 1 + .../allowed-pod-priorities/.chainsaw-test/priorityClass.yaml | 3 ++- other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml | 1 + other-cel/allowed-pod-priorities/artifacthub-pkg.yml | 3 ++- .../.chainsaw-test/chainsaw-test.yaml | 1 + other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml | 3 ++- other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml | 3 ++- .../.chainsaw-test/podcontrollers.yaml | 3 ++- .../.chainsaw-test/policy-ready.yaml | 1 + .../block-ephemeral-containers/.kyverno-test/kyverno-test.yaml | 1 + .../block-ephemeral-containers/.kyverno-test/resource.yaml | 1 + other-cel/block-ephemeral-containers/artifacthub-pkg.yml | 1 + other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml | 1 + .../check-env-vars/.chainsaw-test/podcontrollers-bad.yaml | 3 ++- .../check-env-vars/.chainsaw-test/podcontrollers-good.yaml | 3 ++- other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml | 3 ++- other-cel/check-env-vars/.chainsaw-test/pods-good.yaml | 3 ++- other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml | 1 + other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml | 1 + other-cel/check-env-vars/.kyverno-test/resource.yaml | 1 + other-cel/check-env-vars/artifacthub-pkg.yml | 3 ++- other-cel/check-env-vars/check-env-vars.yaml | 1 + other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml | 3 ++- .../check-node-for-cve-2022-0185.yaml | 2 +- .../.chainsaw-test/bad-svc-account.yaml | 3 ++- .../.chainsaw-test/chainsaw-test.yaml | 3 ++- .../.chainsaw-test/good-svc-account.yaml | 1 + .../.chainsaw-test/policy-ready.yaml | 1 + .../.kyverno-test/kyverno-test.yaml | 3 ++- other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml | 1 + .../check-serviceaccount-secrets.yaml | 1 + .../.chainsaw-test/bad-secret.yaml | 3 ++- .../.chainsaw-test/chainsaw-test.yaml | 1 + .../.chainsaw-test/good-secret.yaml | 3 ++- .../.chainsaw-test/policy-ready.yaml | 3 ++- .../.kyverno-test/kyverno-test.yaml | 3 ++- .../.kyverno-test/resource.yaml | 3 ++- .../artifacthub-pkg.yaml | 3 ++- .../deny-secret-service-account-token-type.yaml | 2 +- .../disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml | 1 + .../.chainsaw-test/podcontrollers-bad.yaml | 3 ++- .../.chainsaw-test/podcontrollers-good.yaml | 3 ++- other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml | 3 ++- other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml | 3 ++- .../disallow-all-secrets/.chainsaw-test/policy-ready.yaml | 1 + other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml | 1 + other-cel/disallow-all-secrets/.kyverno-test/resource.yaml | 2 +- other-cel/disallow-all-secrets/artifacthub-pkg.yml | 3 ++- other-cel/disallow-all-secrets/disallow-all-secrets.yaml | 2 +- .../.chainsaw-test/chainsaw-test.yaml | 1 + .../.chainsaw-test/policy-ready.yaml | 1 + .../disallow-localhost-services/.chainsaw-test/svc-bad.yaml | 3 ++- .../disallow-localhost-services/.chainsaw-test/svc-good.yaml | 3 ++- .../.kyverno-test/kyverno-test.yaml | 1 + .../disallow-localhost-services/.kyverno-test/resource.yaml | 3 ++- other-cel/disallow-localhost-services/artifacthub-pkg.yml | 3 ++- .../disallow-localhost-services.yaml | 2 +- .../.chainsaw-test/chainsaw-test.yaml | 1 + .../.chainsaw-test/podcontrollers-bad.yaml | 3 ++- .../.chainsaw-test/podcontrollers-good.yaml | 3 ++- .../.chainsaw-test/pods-bad.yaml | 3 ++- .../.chainsaw-test/pods-good.yaml | 3 ++- .../.chainsaw-test/policy-ready.yaml | 1 + .../.kyverno-test/kyverno-test.yaml | 2 +- other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml | 3 ++- .../disallow-secrets-from-env-vars.yaml | 2 +- .../.chainsaw-test/chainsaw-test.yaml | 1 + .../.chainsaw-test/podcontrollers-bad.yaml | 3 ++- .../.chainsaw-test/podcontrollers-good.yaml | 3 ++- .../docker-socket-requires-label/.chainsaw-test/pods-bad.yaml | 3 ++- .../docker-socket-requires-label/.chainsaw-test/pods-good.yaml | 3 ++- .../.chainsaw-test/policy-ready.yaml | 1 + .../docker-socket-requires-label/.kyverno-test/resource.yaml | 1 + other-cel/docker-socket-requires-label/artifacthub-pkg.yml | 3 ++- .../docker-socket-requires-label.yaml | 1 + 91 files changed, 141 insertions(+), 58 deletions(-) diff --git a/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml b/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml index a4c25fcfd..0b3284bbd 100755 --- a/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + diff --git a/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml b/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml index 0b5d757e4..942e56ff7 100644 --- a/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml +++ b/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml @@ -43,4 +43,5 @@ metadata: spec: containers: - name: pod-01 - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml b/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml index 562703bde..a71a48fcb 100644 --- a/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml +++ b/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml @@ -41,4 +41,5 @@ metadata: spec: containers: - name: pod-01 - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml index 5fc6b883c..56f826e9a 100644 --- a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml +++ b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml @@ -90,4 +90,5 @@ spec: command: - "sleep" - "3600" - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml index 0fb2af431..41f409f6c 100644 --- a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml +++ b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml @@ -128,4 +128,5 @@ spec: command: - "sleep" - "3600" - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml b/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml index 089b2140f..e86a1d14c 100755 --- a/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml +++ b/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: allowed-annotations status: ready: true + diff --git a/other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml b/other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml index 2e46de21c..4ebfa364c 100644 --- a/other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml +++ b/other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml @@ -19,3 +19,4 @@ results: - goodpod01 result: pass rule: allowed-fluxcd-annotations + diff --git a/other-cel/allowed-annotations/.kyverno-test/resource.yaml b/other-cel/allowed-annotations/.kyverno-test/resource.yaml index a4183a5e2..659009b95 100644 --- a/other-cel/allowed-annotations/.kyverno-test/resource.yaml +++ b/other-cel/allowed-annotations/.kyverno-test/resource.yaml @@ -26,4 +26,4 @@ spec: containers: - name: busybox image: registry.corp/sdf3vhadfa:1.28 ---- \ No newline at end of file +--- diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml index dab7e146a..8bd44427b 100755 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml @@ -42,3 +42,4 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml index 7b931d2d4..555b7e5dc 100644 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml @@ -5,4 +5,5 @@ data: kind: ConfigMap metadata: name: allowed-pod-priorities - namespace: default \ No newline at end of file + namespace: default + diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml index a15a1d3a8..5a95db206 100644 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml @@ -6,4 +6,5 @@ metadata: apiVersion: v1 kind: Namespace metadata: - name: no-priority-ns \ No newline at end of file + name: no-priority-ns + diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml index d45539655..817a2a8eb 100644 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml @@ -28,4 +28,5 @@ metadata: name: foo value: 100000 globalDefault: false -description: "This priority class should be used for XYZ service pods only." \ No newline at end of file +description: "This priority class should be used for XYZ service pods only." + diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml index c94fdd994..a74a0559a 100644 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml @@ -18,4 +18,5 @@ spec: containers: - name: pod01 image: busybox:1.35 - priorityClassName: low \ No newline at end of file + priorityClassName: low + diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml index 962082c47..cd959257d 100644 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml @@ -48,4 +48,5 @@ spec: containers: - name: pod01 image: busybox:1.35 - priorityClassName: low \ No newline at end of file + priorityClassName: low + diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml index 4c0ae45ee..df4200b22 100644 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml @@ -76,4 +76,5 @@ spec: containers: - name: bb-01 image: kyverno - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml index 2c3d6c0c0..7bbd8cba6 100644 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml @@ -76,4 +76,5 @@ spec: containers: - name: bb-01 image: kyverno - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml index 5bf922bad..668c9f4fc 100755 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: allowed-podpriorities status: ready: true + diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml index 36967fa20..e33fe7984 100644 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml +++ b/other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml @@ -4,4 +4,5 @@ metadata: name: high-priority value: 1000000 globalDefault: false -description: "This priority class should be used for XYZ service pods only." \ No newline at end of file +description: "This priority class should be used for XYZ service pods only." + diff --git a/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml b/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml index 75e052899..3f1dd2c03 100644 --- a/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml +++ b/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml @@ -45,3 +45,4 @@ spec: 'The Pod PriorityClass ' + object.spec.priorityClassName + ' is not in the list of the following PriorityClasses allowed in this Namespace: ' + params.data[variables.namespaceName] + diff --git a/other-cel/allowed-pod-priorities/artifacthub-pkg.yml b/other-cel/allowed-pod-priorities/artifacthub-pkg.yml index 36dfa2485..e09855f14 100644 --- a/other-cel/allowed-pod-priorities/artifacthub-pkg.yml +++ b/other-cel/allowed-pod-priorities/artifacthub-pkg.yml @@ -19,5 +19,6 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 5d29f810a32ed856fee1c51cbdc00bd84307f2e7c54f3991a5ec2a5d341bbf96 +digest: a017b81b233cd26270cd2d5f74724846c44b9782997545805014a585115bf1f2 createdAt: "2024-03-19T17:20:47Z" + diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml index 79e2a1fe4..bf3b869c1 100755 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml @@ -49,3 +49,4 @@ spec: content: kubectl delete deployments --all --force --grace-period=0 -n block-ephemeral-ns - script: content: kubectl delete pods --all --force --grace-period=0 -n block-ephemeral-ns + diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml index 617129b70..9881b9cb0 100644 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml @@ -1,4 +1,5 @@ apiVersion: v1 kind: Namespace metadata: - name: block-ephemeral-ns \ No newline at end of file + name: block-ephemeral-ns + diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml index df553857f..0125550fd 100644 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml @@ -42,4 +42,5 @@ spec: command: ["sleep", "300"] - name: busybox02 image: busybox:1.35 - command: ["sleep", "300"] \ No newline at end of file + command: ["sleep", "300"] + diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml index 5213371c9..6efc61a3f 100644 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml @@ -22,4 +22,5 @@ spec: command: ["sleep", "300"] - name: bb2 image: busybox:1.35 - command: ["sleep", "300"] \ No newline at end of file + command: ["sleep", "300"] + diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml index 1a9877928..612f342f3 100755 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml +++ b/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: block-ephemeral-containers status: ready: true + diff --git a/other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml b/other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml index 84814cb06..7d1210a48 100644 --- a/other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml +++ b/other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml @@ -23,3 +23,4 @@ results: - badpod03 kind: Pod result: fail + diff --git a/other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml b/other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml index e641e696f..ba498bf1f 100644 --- a/other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml +++ b/other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml @@ -63,3 +63,4 @@ spec: ephemeralContainers: - name: ephcontainer01 image: dummyimagename + diff --git a/other-cel/block-ephemeral-containers/artifacthub-pkg.yml b/other-cel/block-ephemeral-containers/artifacthub-pkg.yml index 6457e474a..370efc51c 100644 --- a/other-cel/block-ephemeral-containers/artifacthub-pkg.yml +++ b/other-cel/block-ephemeral-containers/artifacthub-pkg.yml @@ -21,3 +21,4 @@ annotations: kyverno/subject: "Pod" digest: 13da34209be549d9904eb9142840242db2ae000b1935e8c3c84d23368886fab9 createdAt: "2024-03-20T08:34:56Z" + diff --git a/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml b/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml index 78091c10b..898591ce7 100755 --- a/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + diff --git a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml index 6b1056a69..d45f5e825 100644 --- a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml +++ b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml @@ -56,4 +56,5 @@ spec: value: bar - name: DISABLE_OPA value: "true" - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml index 91e7d8b6e..a5bb12fe4 100644 --- a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml +++ b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml @@ -56,4 +56,5 @@ spec: value: bar - name: DISABLE_OPA value: "false" - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml b/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml index 6712da27d..0e73ec3d5 100644 --- a/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml +++ b/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml @@ -89,4 +89,5 @@ spec: name: busybox02 env: - name: DISABLE_OPA - value: "true" \ No newline at end of file + value: "true" + diff --git a/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml b/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml index 0fe74a3b0..5ed8c10f5 100644 --- a/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml +++ b/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml @@ -44,4 +44,5 @@ spec: - image: busybox:1.35 name: busybox - image: busybox:1.35 - name: busybox02 \ No newline at end of file + name: busybox02 + diff --git a/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml b/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml index a1a66e266..85d6f8e34 100755 --- a/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml +++ b/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: check-env-vars status: ready: true + diff --git a/other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml b/other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml index 95ea8d9f6..6bcfe92b2 100644 --- a/other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml +++ b/other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml @@ -20,3 +20,4 @@ results: - pod-without-opa-env result: pass rule: check-disable-opa + diff --git a/other-cel/check-env-vars/.kyverno-test/resource.yaml b/other-cel/check-env-vars/.kyverno-test/resource.yaml index 86b8239de..b62815746 100644 --- a/other-cel/check-env-vars/.kyverno-test/resource.yaml +++ b/other-cel/check-env-vars/.kyverno-test/resource.yaml @@ -33,3 +33,4 @@ spec: containers: - image: quay.io/sdase/sdase-version-collector name: myservice + diff --git a/other-cel/check-env-vars/artifacthub-pkg.yml b/other-cel/check-env-vars/artifacthub-pkg.yml index ae636c042..6fb029914 100644 --- a/other-cel/check-env-vars/artifacthub-pkg.yml +++ b/other-cel/check-env-vars/artifacthub-pkg.yml @@ -19,5 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 58857846eda62ba894f21d0dcea7e50a33a698038e66ebf1871c7b36922c5589 +digest: 3cf38de6f83c3a51ab01548ea6fc0ae1f69538a5c0ed2f163180eaea1c60e4aa createdAt: "2024-03-21T13:31:53Z" + diff --git a/other-cel/check-env-vars/check-env-vars.yaml b/other-cel/check-env-vars/check-env-vars.yaml index 1803c98f3..b894fe30c 100644 --- a/other-cel/check-env-vars/check-env-vars.yaml +++ b/other-cel/check-env-vars/check-env-vars.yaml @@ -32,3 +32,4 @@ spec: !object.spec.containers.exists(container, has(container.env) && container.env.exists(e, e.name == 'DISABLE_OPA' && e.value == 'true')) message: "DISABLE_OPA must not be set to true." + diff --git a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml index e52a59abf..8c045eaa9 100644 --- a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml +++ b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml @@ -19,5 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Node" -digest: b422e9817a282dd268c90c7cb2f74a9e9760e8f8a654645bed1a9976581b8318 +digest: c45321cd579c25bc971467d63d146c6ebef7942b94f72069b6d4d97f332f2df3 createdAt: "2024-03-21T14:21:00Z" + diff --git a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml index fd0fb0727..41937ed07 100644 --- a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml +++ b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml @@ -31,4 +31,4 @@ spec: expressions: - expression: "!(object.status.nodeInfo.kernelVersion in ['5.10.84-1', '5.15.5-2'])" message: "Kernel is vulnerable to CVE-2022-0185." - \ No newline at end of file + diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml index a88b34090..2a6640f04 100644 --- a/other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml +++ b/other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml @@ -4,4 +4,5 @@ metadata: name: bad-svc-account-02 namespace: default secrets: - - name: example-automated-thing-token-zyxwv \ No newline at end of file + - name: example-automated-thing-token-zyxwv + diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml index 5b0df0a28..92cb193cf 100644 --- a/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml @@ -26,4 +26,5 @@ spec: ref: apiVersion: kyverno.io/v1 kind: ClusterPolicy - name: check-serviceaccount-secrets \ No newline at end of file + name: check-serviceaccount-secrets + diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml index 72fe039cf..9aceacc4e 100644 --- a/other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml +++ b/other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml @@ -3,3 +3,4 @@ kind: ServiceAccount metadata: name: good-svc-account namespace: default + diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml index 3ff132b35..f0246f6f7 100644 --- a/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml +++ b/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: check-serviceaccount-secrets status: ready: true + diff --git a/other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml b/other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml index f2438227d..a3ca211f3 100644 --- a/other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml +++ b/other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml @@ -18,4 +18,5 @@ results: resources: - good-svc-account result: pass - rule: deny-secrets \ No newline at end of file + rule: deny-secrets + diff --git a/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml b/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml index 260e55393..b28ff7a4d 100644 --- a/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml +++ b/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml @@ -31,3 +31,4 @@ annotations: kyverno/subject: "Secret,ServiceAccount" digest: 8f7e2e179c7e7fe85cbc8cf05c0b7111301836260fc95f0c50cc35d1894a37c3 createdAt: "2024-03-21T13:47:35Z" + diff --git a/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml b/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml index b3aab98e7..8c66e11ba 100644 --- a/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml +++ b/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml @@ -31,3 +31,4 @@ spec: expressions: - expression: "!has(object.secrets)" message: "Long-lived API tokens are not allowed." + diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml index 50e52dc34..041b05a63 100644 --- a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml +++ b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml @@ -4,4 +4,5 @@ metadata: name: bad-secret annotations: kubernetes.io/service-account.name: build-robot -type: kubernetes.io/service-account-token \ No newline at end of file +type: kubernetes.io/service-account-token + diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml index 7ddb34f91..701fc765e 100644 --- a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml @@ -29,3 +29,4 @@ spec: - check: ($error != null): true file: bad-secret.yaml + diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml index 8ac352371..03ae03cfe 100644 --- a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml +++ b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml @@ -5,4 +5,5 @@ metadata: type: kubernetes.io/basic-auth stringData: username: admin - password: t0p-Secret \ No newline at end of file + password: t0p-Secret + diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml index 20cbb81b1..7a079f736 100644 --- a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml +++ b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml @@ -3,4 +3,5 @@ kind: ClusterPolicy metadata: name: deny-secret-service-account-token-type status: - ready: true \ No newline at end of file + ready: true + diff --git a/other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml b/other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml index efb0e7773..5d5cee243 100644 --- a/other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml +++ b/other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml @@ -18,4 +18,5 @@ results: resources: - good-secret result: pass - rule: deny-secret-service-account-token-type \ No newline at end of file + rule: deny-secret-service-account-token-type + diff --git a/other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml b/other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml index c0667a55a..a3e3b7240 100644 --- a/other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml +++ b/other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml @@ -13,4 +13,5 @@ metadata: type: kubernetes.io/basic-auth stringData: username: admin - password: t0p-Secret \ No newline at end of file + password: t0p-Secret + diff --git a/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml b/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml index 79870e861..66552de5a 100644 --- a/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml +++ b/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml @@ -28,4 +28,5 @@ annotations: kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Secret, ServiceAccount" digest: 16324f38031f70d4a971bde9673ca51e70455478b832a005cbb415ee901f5e56 -createdAt: "2024-03-22T07:40:19Z" \ No newline at end of file +createdAt: "2024-03-22T07:40:19Z" + diff --git a/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml b/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml index fbd371e1f..5f5a76657 100644 --- a/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml +++ b/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml @@ -30,4 +30,4 @@ spec: expressions: - expression: "object.type != 'kubernetes.io/service-account-token'" message: "Secret ServiceAccount token type is not allowed." - \ No newline at end of file + diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml index 845434f8e..a735a05e2 100755 --- a/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml index eacd6b86e..214c97602 100644 --- a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml +++ b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml @@ -186,4 +186,5 @@ spec: - name: foo-vol secret: secretName: foo-secret - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml index 093487967..62db85c4b 100644 --- a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml +++ b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml @@ -172,4 +172,5 @@ spec: - name: foo-vol emptyDir: sizeLimit: 100Mi - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml index a82e4e342..124a1c3d7 100644 --- a/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml +++ b/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml @@ -93,4 +93,5 @@ spec: volumes: - name: foo-vol secret: - secretName: foo-secret \ No newline at end of file + secretName: foo-secret + diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml index cb3bb22ee..3dbc1f932 100644 --- a/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml +++ b/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml @@ -68,4 +68,5 @@ spec: volumes: - name: foo-vol emptyDir: - sizeLimit: 100Mi \ No newline at end of file + sizeLimit: 100Mi + diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml index 1f88265d6..a6c46920f 100755 --- a/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml +++ b/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: no-secrets status: ready: true + diff --git a/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml index a2c61f16f..92a1574c1 100644 --- a/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml +++ b/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml @@ -21,3 +21,4 @@ results: - default/good-pod result: pass rule: secrets-not-from-env-envFrom-and-volumes + diff --git a/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml b/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml index 7be4f45d8..868b535ba 100644 --- a/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml +++ b/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml @@ -59,4 +59,4 @@ spec: containers: - name: test-container image: registry.k8s.io/busybox - \ No newline at end of file + diff --git a/other-cel/disallow-all-secrets/artifacthub-pkg.yml b/other-cel/disallow-all-secrets/artifacthub-pkg.yml index 02f3b5f32..4d98a3cc0 100644 --- a/other-cel/disallow-all-secrets/artifacthub-pkg.yml +++ b/other-cel/disallow-all-secrets/artifacthub-pkg.yml @@ -19,5 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Secret" -digest: 13bb4eb1babbb2a6c58887ef83bc61d8e4e6252d9353bf8e2ef92480f4798458 +digest: 298fbab361ee9e46721a4afb06212ac6689988f87f257709b82624ef5393ebd5 createdAt: "2024-03-23T11:14:09Z" + diff --git a/other-cel/disallow-all-secrets/disallow-all-secrets.yaml b/other-cel/disallow-all-secrets/disallow-all-secrets.yaml index 7c03b01c8..944ac4aeb 100644 --- a/other-cel/disallow-all-secrets/disallow-all-secrets.yaml +++ b/other-cel/disallow-all-secrets/disallow-all-secrets.yaml @@ -47,4 +47,4 @@ spec: - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.secret))" message: "No Secrets from volumes." - \ No newline at end of file + diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml index c8f4bd17b..a6d9212c5 100755 --- a/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml @@ -29,3 +29,4 @@ spec: - check: ($error != null): true file: svc-bad.yaml + diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml index 730a95d13..34d9089d2 100755 --- a/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml +++ b/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: no-localhost-service status: ready: true + diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml index e55c2d3a6..c3e2722a4 100644 --- a/other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml +++ b/other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml @@ -4,4 +4,5 @@ metadata: name: badsvc01 spec: type: ExternalName - externalName: localhost \ No newline at end of file + externalName: localhost + diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml index d7cf54557..cc1c8774d 100644 --- a/other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml +++ b/other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml @@ -30,4 +30,5 @@ metadata: name: goodsvc03 spec: type: ExternalName - externalName: foo.bar.com \ No newline at end of file + externalName: foo.bar.com + diff --git a/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml index 49d2f2b69..08a0aff38 100644 --- a/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml +++ b/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml @@ -19,3 +19,4 @@ results: - my-np-service result: pass rule: no-localhost-service + diff --git a/other-cel/disallow-localhost-services/.kyverno-test/resource.yaml b/other-cel/disallow-localhost-services/.kyverno-test/resource.yaml index bafd69c52..c7ad17280 100644 --- a/other-cel/disallow-localhost-services/.kyverno-test/resource.yaml +++ b/other-cel/disallow-localhost-services/.kyverno-test/resource.yaml @@ -17,4 +17,5 @@ spec: ports: - port: 80 targetPort: 80 - protocol: TCP \ No newline at end of file + protocol: TCP + diff --git a/other-cel/disallow-localhost-services/artifacthub-pkg.yml b/other-cel/disallow-localhost-services/artifacthub-pkg.yml index 536ccc111..f27b28fb1 100644 --- a/other-cel/disallow-localhost-services/artifacthub-pkg.yml +++ b/other-cel/disallow-localhost-services/artifacthub-pkg.yml @@ -19,5 +19,6 @@ annotations: kyverno/category: "Sample in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Service" -digest: e5c4679a38d53063daba829f97e43a3de8874b698f035674c885bdbe62bfe473 +digest: 6987150bedeaf5bafe4c819cc48b6c2660de1a66b007f24807d88d7a0407a3ba createdAt: "2024-03-23T12:17:54Z" + diff --git a/other-cel/disallow-localhost-services/disallow-localhost-services.yaml b/other-cel/disallow-localhost-services/disallow-localhost-services.yaml index fc7461e05..b2cdc2315 100644 --- a/other-cel/disallow-localhost-services/disallow-localhost-services.yaml +++ b/other-cel/disallow-localhost-services/disallow-localhost-services.yaml @@ -28,4 +28,4 @@ spec: expressions: - expression: "object.spec.type != 'ExternalName' || object.spec.externalName != 'localhost'" message: "Service of type ExternalName cannot point to localhost." - \ No newline at end of file + diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml index 31ffa4e26..d52d2fab8 100755 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml index ac31368ed..f2d6ff74a 100644 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml @@ -100,4 +100,5 @@ spec: name: foo - image: busybox:1.35 name: busybox02 - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml index 4c20ae23e..d5b7d27aa 100644 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml @@ -92,4 +92,5 @@ spec: name: foo-bar - image: busybox:1.35 name: busybox02 - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml index f4c4db620..26f0cbf6e 100644 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml @@ -47,4 +47,5 @@ spec: valueFrom: secretKeyRef: name: foo - key: pass \ No newline at end of file + key: pass + diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml index c6573bf3f..6a02634ee 100644 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml @@ -37,4 +37,5 @@ spec: - configMapRef: name: foo-bar - image: busybox:1.35 - name: busybox02 \ No newline at end of file + name: busybox02 + diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml index f8d45db5d..5ee01d320 100755 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: secrets-not-from-env-vars status: ready: true + diff --git a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml index c2a303dbe..b0fb70fb4 100644 --- a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml +++ b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml @@ -20,4 +20,4 @@ results: - default/good-pod result: pass rule: secrets-not-from-env-vars - \ No newline at end of file + diff --git a/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml b/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml index 279a23b62..2da9f7c41 100644 --- a/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml +++ b/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml @@ -20,5 +20,6 @@ annotations: kyverno/category: "Sample, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Secret" -digest: 7a8d2c6c16cc66744f7e274ed11d0065c1dc408644746c43effc25fb4261bb01 +digest: 52e12553f5be68f8e155a88f87e81eefeb8008acea66939a570d597afe16184b createdAt: "2024-03-24T16:54:45Z" + diff --git a/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml b/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml index e936f8c3e..0f03a8b7e 100644 --- a/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml +++ b/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml @@ -30,4 +30,4 @@ spec: message: "Secrets must be mounted as volumes, not as environment variables." - expression: "object.spec.containers.all(container, !has(container.envFrom) || container.envFrom.all(envFrom, !has(envFrom.secretRef)))" message: "Secrets must not come from envFrom statements." - \ No newline at end of file + diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml index ada8288d6..0fb756232 100755 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml index 43d50e08b..61e78696a 100644 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml @@ -92,4 +92,5 @@ spec: - name: docker-vol hostPath: path: "/var/run/docker.sock" - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml index a0275658f..381f46442 100644 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml @@ -94,4 +94,5 @@ spec: - name: foo-vol hostPath: path: "/var/foo/bar" - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml index c44eeaa2a..a6a3bf162 100644 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml @@ -28,4 +28,5 @@ spec: path: "/var/foo/bar" - name: docker-vol hostPath: - path: "/var/run/docker.sock" \ No newline at end of file + path: "/var/run/docker.sock" + diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml index 1860c831f..79e584641 100644 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml @@ -52,4 +52,5 @@ spec: path: "/var/foo/bar" - name: docker-vol hostPath: - path: "/var/run/docker.sock" \ No newline at end of file + path: "/var/run/docker.sock" + diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml index e73d54241..8698d373a 100755 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml +++ b/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: docker-socket-check status: ready: true + diff --git a/other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml b/other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml index 0d121f481..cdd3bc0ec 100644 --- a/other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml +++ b/other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml @@ -71,3 +71,4 @@ spec: - hostPath: path: /var/run/docker.sock name: test + diff --git a/other-cel/docker-socket-requires-label/artifacthub-pkg.yml b/other-cel/docker-socket-requires-label/artifacthub-pkg.yml index 98b509851..0a0e379c8 100644 --- a/other-cel/docker-socket-requires-label/artifacthub-pkg.yml +++ b/other-cel/docker-socket-requires-label/artifacthub-pkg.yml @@ -19,5 +19,6 @@ annotations: kyverno/category: "Other in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 6453788f2fd528fc85bc30881e012fa625bba4a92700af258b915ef3e9defb34 +digest: d577dea5bad5971c21bc1036f97a85c1701a3fdcb2800ee8b4f0708dc2b58101 createdAt: "2024-03-27T12:13:52Z" + diff --git a/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml b/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml index 61bd69993..138b36336 100644 --- a/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml +++ b/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml @@ -34,3 +34,4 @@ spec: expressions: - expression: "!variables.hasDockerSocket || variables.isAllowDockerLabelTrue" message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`." + From 2086b7572ec7bc82425cfabe9823701f2aa39a4f Mon Sep 17 00:00:00 2001 From: Matt Bator Date: Wed, 8 May 2024 16:30:41 -0400 Subject: [PATCH 34/42] Updating k10-hourly-rpo policy, use NS label instead of Policy label Signed-off-by: Matt Bator --- .../.kyverno-test/backup-export-policy.yaml | 73 ------------------- kasten/k10-hourly-rpo/artifacthub-pkg.yml | 22 ------ kasten/k10-hourly-rpo/k10-hourly-rpo.yaml | 32 -------- .../.kyverno-test/kyverno-test.yaml | 13 ++-- .../.kyverno-test/test-policies.yaml | 63 ++++++++++++++++ .../.kyverno-test/test-values.yaml | 10 +++ kasten/kasten-hourly-rpo/artifacthub-pkg.yml | 24 ++++++ .../kasten-hourly-rpo/kasten-hourly-rpo.yaml | 46 ++++++++++++ 8 files changed, 150 insertions(+), 133 deletions(-) delete mode 100644 kasten/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml delete mode 100644 kasten/k10-hourly-rpo/artifacthub-pkg.yml delete mode 100644 kasten/k10-hourly-rpo/k10-hourly-rpo.yaml rename kasten/{k10-hourly-rpo => kasten-hourly-rpo}/.kyverno-test/kyverno-test.yaml (57%) create mode 100644 kasten/kasten-hourly-rpo/.kyverno-test/test-policies.yaml create mode 100644 kasten/kasten-hourly-rpo/.kyverno-test/test-values.yaml create mode 100644 kasten/kasten-hourly-rpo/artifacthub-pkg.yml create mode 100644 kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml diff --git a/kasten/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml b/kasten/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml deleted file mode 100644 index 96430f81a..000000000 --- a/kasten/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# An example compliant K10 Policy -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: hourly-policy - namespace: kasten-io - labels: - appPriority: Mission-Critical -spec: - comment: My sample custom backup policy - frequency: '@hourly' # change this to @daily to test the 'audit_mission_critical_RPO' policy - subFrequency: - minutes: [30] - hours: [22,7] - weekdays: [5] - days: [15] - retention: - daily: 14 - weekly: 4 - monthly: 6 - actions: - - action: backup - - action: export # comment this line out to test 'enforce_3-2-1' policy - exportParameters: - frequency: '@monthly' - profile: - name: my-profile - namespace: kasten-io - exportData: - enabled: true - retention: - monthly: 12 - yearly: 5 - selector: - matchLabels: - k10.kasten.io/appNamespace: sampleApp ---- -# An example compliant K10 Policy -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: daily-policy - namespace: kasten-io - labels: - appPriority: Mission-Critical -spec: - comment: My sample custom backup policy - frequency: '@daily' # change this to @daily to test the 'audit_mission_critical_RPO' policy - subFrequency: - minutes: [30] - hours: [22,7] - weekdays: [5] - days: [15] - retention: - daily: 14 - weekly: 4 - monthly: 6 - actions: - - action: backup - - action: export # comment this line out to test 'enforce_3-2-1' policy - exportParameters: - frequency: '@monthly' - profile: - name: my-profile - namespace: kasten-io - exportData: - enabled: true - retention: - monthly: 12 - yearly: 5 - selector: - matchLabels: - k10.kasten.io/appNamespace: sampleApp diff --git a/kasten/k10-hourly-rpo/artifacthub-pkg.yml b/kasten/k10-hourly-rpo/artifacthub-pkg.yml deleted file mode 100644 index c16fb3023..000000000 --- a/kasten/k10-hourly-rpo/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: k10-hourly-rpo -version: 1.0.0 -displayName: Check Hourly RPO -createdAt: "2023-04-10T20:12:53.000Z" -description: >- - K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-hourly-rpo/k10-hourly-rpo.yaml - ``` -keywords: - - kyverno - - Kasten K10 by Veeam -readme: | - K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Kasten K10 by Veeam" - kyverno/kubernetesVersion: "1.21-1.22" - kyverno/subject: "Policy" -digest: 8be5a4f3ab8198e567ab442b59755c08bbb0ef72ff340a5c52821199c7ee80fa diff --git a/kasten/k10-hourly-rpo/k10-hourly-rpo.yaml b/kasten/k10-hourly-rpo/k10-hourly-rpo.yaml deleted file mode 100644 index 05515c682..000000000 --- a/kasten/k10-hourly-rpo/k10-hourly-rpo.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-policy-hourly-rpo - annotations: - policies.kyverno.io/title: Check Hourly RPO - policies.kyverno.io/category: Kasten K10 by Veeam - kyverno.io/kyverno-version: 1.6.2 - policies.kyverno.io/minversion: 1.6.2 - kyverno.io/kubernetes-version: "1.21-1.22" - policies.kyverno.io/subject: Policy - policies.kyverno.io/description: >- - K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. - This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical -spec: - validationFailureAction: audit - rules: - - name: k10-policy-hourly-rpo - match: - any: - - resources: - kinds: - - config.kio.kasten.io/v1alpha1/Policy - selector: - matchLabels: - appPriority: Mission-Critical - validate: - message: "Mission Critical RPO frequency should use no shorter than @hourly frequency" - pattern: - spec: - frequency: '@hourly' # In K10, this is checking Hourly at the action: backup level. By default, any action: export will use the action: backup frequency. - diff --git a/kasten/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml b/kasten/kasten-hourly-rpo/.kyverno-test/kyverno-test.yaml similarity index 57% rename from kasten/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml rename to kasten/kasten-hourly-rpo/.kyverno-test/kyverno-test.yaml index 965e355f5..f8a516ef4 100644 --- a/kasten/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml +++ b/kasten/kasten-hourly-rpo/.kyverno-test/kyverno-test.yaml @@ -3,19 +3,20 @@ kind: Test metadata: name: kyverno_data_protection_tests policies: -- ../k10-hourly-rpo.yaml +- ../kasten-hourly-rpo.yaml resources: -- backup-export-policy.yaml +- test-policies.yaml results: - kind: Policy - policy: k10-policy-hourly-rpo + policy: kasten-hourly-rpo resources: - daily-policy result: fail - rule: k10-policy-hourly-rpo + rule: kasten-hourly-rpo - kind: Policy - policy: k10-policy-hourly-rpo + policy: kasten-hourly-rpo resources: - hourly-policy result: pass - rule: k10-policy-hourly-rpo + rule: kasten-hourly-rpo +variables: test-values.yaml diff --git a/kasten/kasten-hourly-rpo/.kyverno-test/test-policies.yaml b/kasten/kasten-hourly-rpo/.kyverno-test/test-policies.yaml new file mode 100644 index 000000000..d08547c9e --- /dev/null +++ b/kasten/kasten-hourly-rpo/.kyverno-test/test-policies.yaml @@ -0,0 +1,63 @@ +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: daily-policy + namespace: kasten-io +spec: + frequency: '@daily' + retention: + daily: 14 + weekly: 4 + monthly: 6 + actions: + - action: backup + - action: export + exportParameters: + frequency: '@monthly' + profile: + name: my-profile + namespace: kasten-io + exportData: + enabled: true + retention: + monthly: 12 + yearly: 5 + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - app-1 + - app-2 +--- +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: hourly-policy + namespace: kasten-io +spec: + frequency: '@hourly' + retention: + daily: 14 + weekly: 4 + monthly: 6 + actions: + - action: backup + - action: export + exportParameters: + frequency: '@monthly' + profile: + name: my-profile + namespace: kasten-io + exportData: + enabled: true + retention: + monthly: 12 + yearly: 5 + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - app-1 + - app-2 \ No newline at end of file diff --git a/kasten/kasten-hourly-rpo/.kyverno-test/test-values.yaml b/kasten/kasten-hourly-rpo/.kyverno-test/test-values.yaml new file mode 100644 index 000000000..ad24733e0 --- /dev/null +++ b/kasten/kasten-hourly-rpo/.kyverno-test/test-values.yaml @@ -0,0 +1,10 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +policies: +- name: kasten-hourly-rpo + rules: + - name: kasten-hourly-rpo + values: + namespacesWithPriorityLabel: + - app-1 + - app-2 diff --git a/kasten/kasten-hourly-rpo/artifacthub-pkg.yml b/kasten/kasten-hourly-rpo/artifacthub-pkg.yml new file mode 100644 index 000000000..2d4895e09 --- /dev/null +++ b/kasten/kasten-hourly-rpo/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: k10-hourly-rpo +version: 1.0.1 +displayName: Check Hourly RPO +createdAt: "2023-05-07T00:00:00.000Z" +description: >- + Kasten Policy resources can be required to adhere to common Recovery Point Objective (RPO) best practices. + This example policy validates that the Policy is set to run hourly if it explicitly protects any namespaces containing the `appPriority=critical` label. This policy can be adapted to enforce any Kasten Policy requirements based on a namespace label. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml + ``` +keywords: + - kyverno + - Veeam Kasten +readme: | + Kasten Policy resources can be required to adhere to common Recovery Point Objective (RPO) best practices. + This example policy validates that the Policy is set to run hourly if it explicitly protects any namespaces containing the `appPriority=critical` label. This policy can be adapted to enforce any Kasten Policy requirements based on a namespace label. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Veeam Kasten" + kyverno/kubernetesVersion: "1.25-1.30" + kyverno/subject: "Policy" +digest: 4425c169fa2db1bac821bed041d6fce2bf37c471f6b9503379ffac05ce4ca9e9 diff --git a/kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml b/kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml new file mode 100644 index 000000000..127b7a8f1 --- /dev/null +++ b/kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kasten-hourly-rpo + annotations: + policies.kyverno.io/title: Check Kasten Policy RPO based on Namespace Label + policies.kyverno.io/category: Veeam Kasten + kyverno.io/kyverno-version: 1.12.1 + policies.kyverno.io/minversion: 1.12.0 + kyverno.io/kubernetes-version: "1.24-1.30" + policies.kyverno.io/subject: Policy + policies.kyverno.io/description: >- + Kasten Policy resources can be required to adhere to common Recovery Point Objective (RPO) best practices. + This example policy validates that the Policy is set to run hourly if it explicitly protects any namespaces containing the `appPriority=critical` label. This policy can be adapted to enforce any Kasten Policy requirements based on a namespace label. +spec: + validationFailureAction: Enforce + rules: + - name: kasten-hourly-rpo + match: + any: + - resources: + kinds: + - config.kio.kasten.io/v1alpha1/Policy + context: + - name: namespacesWithPriorityLabel # Get list of namespaces with appPriority=critical label + apiCall: + urlPath: "/api/v1/namespaces?labelSelector=appPriority%3Dcritical" + jmesPath: "items[].metadata.name" + preconditions: + any: + - key: "{{ length(namespacesWithPriorityLabel) }}" + operator: GreaterThan + value: 0 # Only proceed if namespaces with appPriority=critical label exist + validate: + message: "Mission Critical RPO frequency should use no shorter than @hourly frequency" + foreach: + - list: "request.object.spec.selector.matchExpressions[0].values" + deny: + conditions: + all: # Deny admission if the policy is not hourly AND any namespaces listed in the Policy contain the appPriority=critical label + - key: "{{ element }}" + operator: AnyIn + value: "{{ namespacesWithPriorityLabel }}" + - key: "{{ request.object.spec.frequency }}" + operator: NotEquals + value: '@hourly' \ No newline at end of file From c619908744689c381bb59ea8d6bea1b94c8d5fa5 Mon Sep 17 00:00:00 2001 From: Matt Bator Date: Wed, 8 May 2024 16:32:10 -0400 Subject: [PATCH 35/42] Update chainsaw test, add namespace with appPriority label Signed-off-by: Matt Bator --- .../chainsaw-step-01-assert-1.yaml | 2 +- .../chainsaw-step-01-assert-2.yaml | 0 .../.chainsaw-test/chainsaw-test.yaml | 6 +++-- .../.chainsaw-test/k10-bad-policy.yaml | 18 ++++++--------- .../.chainsaw-test/k10-good-policy.yaml | 22 ++++++++----------- .../kasten-hourly-rpo/.chainsaw-test/ns.yaml | 6 +++++ 6 files changed, 27 insertions(+), 27 deletions(-) rename kasten/{k10-hourly-rpo => kasten-hourly-rpo}/.chainsaw-test/chainsaw-step-01-assert-1.yaml (72%) rename kasten/{k10-hourly-rpo => kasten-hourly-rpo}/.chainsaw-test/chainsaw-step-01-assert-2.yaml (100%) rename kasten/{k10-hourly-rpo => kasten-hourly-rpo}/.chainsaw-test/chainsaw-test.yaml (87%) rename kasten/{k10-hourly-rpo => kasten-hourly-rpo}/.chainsaw-test/k10-bad-policy.yaml (61%) rename kasten/{k10-hourly-rpo => kasten-hourly-rpo}/.chainsaw-test/k10-good-policy.yaml (55%) create mode 100644 kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml diff --git a/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml similarity index 72% rename from kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 3fa1c7221..c1bc4202f 100755 --- a/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -1,6 +1,6 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: k10-policy-hourly-rpo + name: kasten-hourly-rpo status: ready: true diff --git a/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml similarity index 100% rename from kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml diff --git a/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-test.yaml similarity index 87% rename from kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml rename to kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-test.yaml index 8630e0e9a..569383ef7 100755 --- a/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml +++ b/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-test.yaml @@ -9,13 +9,13 @@ spec: - name: step-01 try: - apply: - file: ../k10-hourly-rpo.yaml + file: ../kasten-hourly-rpo.yaml - patch: resource: apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: k10-policy-hourly-rpo + name: kasten-hourly-rpo spec: validationFailureAction: Enforce - assert: @@ -24,6 +24,8 @@ spec: file: chainsaw-step-01-assert-2.yaml - name: step-02 try: + - apply: + file: ns.yaml - apply: file: k10-good-policy.yaml - apply: diff --git a/kasten/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml similarity index 61% rename from kasten/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml rename to kasten/kasten-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml index 1bc2dd2d6..c0dc1434f 100644 --- a/kasten/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml +++ b/kasten/kasten-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml @@ -1,17 +1,10 @@ apiVersion: config.kio.kasten.io/v1alpha1 kind: Policy metadata: - name: k10-hourlyrpo-badpolicy01 - labels: - appPriority: Mission-Critical + name: daily-policy + namespace: kasten-io spec: - comment: My sample custom backup policy frequency: '@daily' - subFrequency: - minutes: [30] - hours: [22,7] - weekdays: [5] - days: [15] retention: daily: 14 weekly: 4 @@ -30,5 +23,8 @@ spec: monthly: 12 yearly: 5 selector: - matchLabels: - k10.kasten.io/appNamespace: sampleApp \ No newline at end of file + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - test-namespace \ No newline at end of file diff --git a/kasten/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/k10-good-policy.yaml similarity index 55% rename from kasten/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml rename to kasten/kasten-hourly-rpo/.chainsaw-test/k10-good-policy.yaml index 8acf13284..95d465155 100644 --- a/kasten/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml +++ b/kasten/kasten-hourly-rpo/.chainsaw-test/k10-good-policy.yaml @@ -1,24 +1,17 @@ apiVersion: config.kio.kasten.io/v1alpha1 kind: Policy metadata: - name: k10-hourlyrpo-goodpolicy01 - labels: - appPriority: Mission-Critical + name: hourly-policy + namespace: kasten-io spec: - comment: My sample custom backup policy - frequency: '@hourly' - subFrequency: - minutes: [30] - hours: [22,7] - weekdays: [5] - days: [15] + frequency: '@hourly' retention: daily: 14 weekly: 4 monthly: 6 actions: - action: backup - - action: export + - action: export exportParameters: frequency: '@monthly' profile: @@ -30,5 +23,8 @@ spec: monthly: 12 yearly: 5 selector: - matchLabels: - k10.kasten.io/appNamespace: sampleApp \ No newline at end of file + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - test-namespace \ No newline at end of file diff --git a/kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..2d94dcf24 --- /dev/null +++ b/kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-namespace + labels: + appPriority: critical \ No newline at end of file From beb577cdfb708b6b2bad7f8377a823f6bd67fe4c Mon Sep 17 00:00:00 2001 From: Matt Bator Date: Wed, 8 May 2024 17:17:12 -0400 Subject: [PATCH 36/42] Add kasten-io namespace to chainsaw test Signed-off-by: Matt Bator --- kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml index 2d94dcf24..6c8985d11 100644 --- a/kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml +++ b/kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml @@ -3,4 +3,9 @@ kind: Namespace metadata: name: test-namespace labels: - appPriority: critical \ No newline at end of file + appPriority: critical +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kasten-io \ No newline at end of file From ffb9a0bc5b098e7a3608fc58e59f1a13043b2df9 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 15 May 2024 19:30:06 +0530 Subject: [PATCH 37/42] feat: add other policies in CEL expressions - Part 3 (#961) * add CI test for directories starting with m to q in other-cel folder Signed-off-by: Chandan-DK * copy metadata-match-regex Signed-off-by: Chandan-DK * convert metadata-match-regex to cel Signed-off-by: Chandan-DK * add kyverno tests for metadata-match-regex Signed-off-by: Chandan-DK * copy pdb-maxunavailable Signed-off-by: Chandan-DK * convert pdb-maxunavailable to cel Signed-off-by: Chandan-DK * copy prevent-bare-pods Signed-off-by: Chandan-DK * convert prevent-bare-pods to cel Signed-off-by: Chandan-DK * add kyverno tests for prevent-bare-pods Signed-off-by: Chandan-DK * copy memory-requests-equal-limits Signed-off-by: Chandan-DK * convert memory-requests-equal-limits to cel Signed-off-by: Chandan-DK * copy prevent-cr8escape Signed-off-by: Chandan-DK * convert prevent-cr8escape to cel Signed-off-by: Chandan-DK * rename files for clarity Signed-off-by: Chandan-DK * add a new line at the end of files Signed-off-by: Chandan-DK * fix lint Signed-off-by: Chandan-DK --------- Signed-off-by: Chandan-DK Co-authored-by: Mariam Fahmy --- .github/workflows/test.yml | 1 + .../.chainsaw-test/chainsaw-test.yaml | 39 ++++++++++ .../.chainsaw-test/pod-bad.yaml | 77 +++++++++++++++++++ .../.chainsaw-test/pod-good.yaml | 46 +++++++++++ .../.chainsaw-test/podcontroller-bad.yaml | 60 +++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 64 +++++++++++++++ .../.chainsaw-test/policy-ready.yaml | 7 ++ .../.kyverno-test/kyverno-test.yaml | 28 +++++++ .../.kyverno-test/resource.yaml | 73 ++++++++++++++++++ .../artifacthub-pkg.yml | 24 ++++++ .../memory-requests-equal-limits.yaml | 38 +++++++++ .../.chainsaw-test/chainsaw-test.yaml | 39 ++++++++++ .../.chainsaw-test/pod-bad.yaml | 42 ++++++++++ .../.chainsaw-test/pod-good.yaml | 22 ++++++ .../.chainsaw-test/podcontroller-bad.yaml | 40 ++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 40 ++++++++++ .../.chainsaw-test/policy-ready.yaml | 7 ++ .../.kyverno-test/kyverno-test.yaml | 53 +++++++++++++ .../metadata-match-regex/artifacthub-pkg.yml | 24 ++++++ .../metadata-match-regex.yaml | 35 +++++++++ .../.chainsaw-test/chainsaw-test.yaml | 32 ++++++++ .../.chainsaw-test/pdb-bad.yaml | 7 ++ .../.chainsaw-test/pdb-good.yaml | 14 ++++ .../.chainsaw-test/policy-ready.yaml | 7 ++ .../.kyverno-test/kyverno-test.yaml | 24 ++++++ .../.kyverno-test/resource.yaml | 43 +++++++++++ .../pdb-maxunavailable/artifacthub-pkg.yml | 24 ++++++ .../pdb-maxunavailable.yaml | 31 ++++++++ .../.chainsaw-test/chainsaw-test.yaml | 47 +++++++++++ .../.chainsaw-test/deployment.yaml | 23 ++++++ .../prevent-bare-pods/.chainsaw-test/ns.yaml | 5 ++ .../.chainsaw-test/pod-bad.yaml | 9 +++ .../.chainsaw-test/pod-good.yaml | 14 ++++ .../.chainsaw-test/policy-ready.yaml | 7 ++ .../.kyverno-test/kyverno-test.yaml | 23 ++++++ .../prevent-bare-pods/artifacthub-pkg.yml | 25 ++++++ .../prevent-bare-pods/prevent-bare-pods.yaml | 34 ++++++++ .../.chainsaw-test/chainsaw-test.yaml | 31 ++++++++ .../.chainsaw-test/podcontroller-bad.yaml | 48 ++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 48 ++++++++++++ .../.chainsaw-test/pods-bad.yaml | 30 ++++++++ .../.chainsaw-test/pods-good.yaml | 35 +++++++++ .../.chainsaw-test/policy-ready.yaml | 10 +++ .../.kyverno-test/kyverno-test.yaml | 23 ++++++ .../.kyverno-test/resources.yaml | 39 ++++++++++ .../prevent-cr8escape/artifacthub-pkg.yml | 24 ++++++ .../prevent-cr8escape/prevent-cr8escape.yaml | 35 +++++++++ .../.kyverno-test/kyverno-test.yaml | 46 +++++++++++ .../.chainsaw-test/pod-good.yaml | 2 +- .../.kyverno-test/kyverno-test.yaml | 23 ++++++ .../.kyverno-test/kyverno-test.yaml | 2 +- 51 files changed, 1522 insertions(+), 2 deletions(-) create mode 100755 other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml create mode 100755 other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml create mode 100644 other-cel/memory-requests-equal-limits/artifacthub-pkg.yml create mode 100644 other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml create mode 100755 other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml create mode 100755 other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/metadata-match-regex/artifacthub-pkg.yml create mode 100644 other-cel/metadata-match-regex/metadata-match-regex.yaml create mode 100755 other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml create mode 100644 other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml create mode 100755 other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml create mode 100644 other-cel/pdb-maxunavailable/artifacthub-pkg.yml create mode 100644 other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml create mode 100755 other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml create mode 100644 other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml create mode 100644 other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml create mode 100755 other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/prevent-bare-pods/artifacthub-pkg.yml create mode 100644 other-cel/prevent-bare-pods/prevent-bare-pods.yaml create mode 100755 other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml create mode 100644 other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml create mode 100644 other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/prevent-cr8escape/.kyverno-test/resources.yaml create mode 100644 other-cel/prevent-cr8escape/artifacthub-pkg.yml create mode 100644 other-cel/prevent-cr8escape/prevent-cr8escape.yaml create mode 100644 other/metadata-match-regex/.kyverno-test/kyverno-test.yaml create mode 100644 other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bc7253b02..718a3a619 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -53,6 +53,7 @@ jobs: - ^other$/^re[c-q] - ^other$/^res - ^other$/^[s-z] + - ^other-cel$/^[m-q] - ^pod-security$ - ^pod-security-cel$ - ^psa$ diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..a6646a301 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,39 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: memory-requests-equal-limits +spec: + steps: + - name: step-01 + try: + - apply: + file: ../memory-requests-equal-limits.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: memory-requests-equal-limits + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..b5e8f35f5 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,77 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "200Mi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "10Mi" + limits: + memory: "140Mi" + - name: busybox02 + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "150Mi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "120Mi" + limits: + memory: "120Mi" + - name: busybox02 + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "150Mi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: busybox02 + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "200Mi" + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "100Mi" + diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..2b67af375 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod00 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "100Mi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "100Mi" + - name: busybox02 + image: busybox:1.35 + - name: busybox03 + image: busybox:1.35 + resources: + requests: + memory: "50Mi" + limits: + memory: "50Mi" + diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..85b8c5456 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,60 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "10Mi" + limits: + memory: "140Mi" + - name: busybox02 + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "150Mi" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "10Mi" + limits: + memory: "140Mi" + - name: busybox02 + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "150Mi" + restartPolicy: OnFailure + diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..d54369b17 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,64 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "100Mi" + - name: busybox02 + image: busybox:1.35 + - name: busybox03 + image: busybox:1.35 + resources: + requests: + memory: "50Mi" + limits: + memory: "50Mi" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "100Mi" + - name: busybox02 + image: busybox:1.35 + - name: busybox03 + image: busybox:1.35 + resources: + requests: + memory: "50Mi" + limits: + memory: "50Mi" + restartPolicy: OnFailure + diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..b0e2885d6 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: memory-requests-equal-limits +status: + ready: true + diff --git a/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml b/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..73538ab7d --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,28 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: memory-requests-equal-limits +policies: +- ../memory-requests-equal-limits.yaml +resources: +- resource.yaml +results: +- kind: CronJob + policy: memory-requests-equal-limits + resources: + - hello + result: pass + rule: autogen-cronjob-memory-requests-equal-limits +- kind: DaemonSet + policy: memory-requests-equal-limits + resources: + - fluentd-elasticsearch + result: pass + rule: autogen-memory-requests-equal-limits +- kind: Pod + policy: memory-requests-equal-limits + resources: + - myapp-pod + result: fail + rule: memory-requests-equal-limits + diff --git a/other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml b/other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml new file mode 100644 index 000000000..33b5da389 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml @@ -0,0 +1,73 @@ +# DaemonSet with equal resources.requests.memory to resources.limits.memory +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: kube-system + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + +--- +# Pod with unequal resources.requests.memory to resources.limits.memory +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod +spec: + containers: + - name: nginx + image: nginx + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +--- +# CronJob with equal resources.requests.memory to resources.limits.memory +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + resources: + requests: + cpu: "100m" + memory: "1000m" + limits: + cpu: "100m" + memory: "1000m" + restartPolicy: OnFailure + diff --git a/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml new file mode 100644 index 000000000..c50a6c04d --- /dev/null +++ b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: memory-requests-equal-limits-cel +version: 1.0.0 +displayName: Memory Requests Equal Limits in CEL expressions +description: >- + Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml + ``` +keywords: + - kyverno + - Sample + - CEL Expressions +readme: | + Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 176dc9b492d3eee687bc89711d3414f13bf00548b85781e71ccaacd12bbf6f1a +createdAt: "2024-04-07T11:13:21Z" + diff --git a/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml new file mode 100644 index 000000000..82b23257b --- /dev/null +++ b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: memory-requests-equal-limits + annotations: + policies.kyverno.io/title: Memory Requests Equal Limits in CEL expressions + policies.kyverno.io/category: Sample in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Pods which have memory limits equal to requests could be given a QoS class of Guaranteed if + they also set CPU limits equal to requests. Guaranteed is the highest schedulable class. + This policy checks that all containers in a given Pod have memory requests equal to limits. +spec: + validationFailureAction: Audit + background: false + rules: + - name: memory-requests-equal-limits + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + variables: + - name: containersWithResources + expression: object.spec.containers.filter(container, has(container.resources)) + expressions: + - expression: >- + variables.containersWithResources.all(container, + !has(container.resources.requests) || + !has(container.resources.requests.memory) || + container.resources.requests.memory == container.resources.?limits.?memory.orValue('-1')) + message: "resources.requests.memory must be equal to resources.limits.memory" + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..51f02a908 --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,39 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: metadata-match-regex +spec: + steps: + - name: step-01 + try: + - apply: + file: ../metadata-match-regex.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: metadata-match-regex + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml b/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..e16e81cd7 --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + corp.org/version: v1.1 + name: badpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + corp.org/version: "0.0.1" + name: badpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + corp.org/version: "v1.22.1" + name: badpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: busybox + image: busybox:1.35 + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml b/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..9c3f19d3e --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + corp.org/version: v0.1.9 + name: goodpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + corp.org/version: v0.0.1 + name: goodpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..e1824fb48 --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + corp.org/version: "v0.12.9" + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + corp.org/version: "v1.13" + spec: + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..164d85d51 --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + corp.org/version: "v0.1.9" + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + corp.org/version: "v0.1.9" + spec: + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml b/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..aa0042784 --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: metadata-match-regex +status: + ready: true + diff --git a/other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml b/other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..c7259a539 --- /dev/null +++ b/other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,53 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: metadata-match-regex +policies: +- ../metadata-match-regex.yaml +resources: +- ../.chainsaw-test/pod-bad.yaml +- ../.chainsaw-test/pod-good.yaml +- ../.chainsaw-test/podcontroller-bad.yaml +- ../.chainsaw-test/podcontroller-good.yaml +results: +- policy: metadata-match-regex + rule: check-for-regex + kind: Pod + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: Deployment + resources: + - baddeployment01 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: CronJob + resources: + - badcronjob01 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: Pod + resources: + - goodpod01 + - goodpod02 + result: pass +- policy: metadata-match-regex + rule: check-for-regex + kind: Deployment + resources: + - gooddeployment01 + result: pass +- policy: metadata-match-regex + rule: check-for-regex + kind: CronJob + resources: + - goodcronjob01 + result: pass + diff --git a/other-cel/metadata-match-regex/artifacthub-pkg.yml b/other-cel/metadata-match-regex/artifacthub-pkg.yml new file mode 100644 index 000000000..c4c2212d4 --- /dev/null +++ b/other-cel/metadata-match-regex/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: metadata-match-regex-cel +version: 1.0.0 +displayName: Metadata Matches Regex in CEL expressions +description: >- + Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/metadata-match-regex/metadata-match-regex.yaml + ``` +keywords: + - kyverno + - Other + - CEL Expressions +readme: | + Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod, Label" +digest: 4f6e2a07df41b3ce83af7ce25a6cdb7bae14f336edfd178bb52b25183f6c580d +createdAt: "2024-04-07T10:16:14Z" + diff --git a/other-cel/metadata-match-regex/metadata-match-regex.yaml b/other-cel/metadata-match-regex/metadata-match-regex.yaml new file mode 100644 index 000000000..be0c59c02 --- /dev/null +++ b/other-cel/metadata-match-regex/metadata-match-regex.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: metadata-match-regex + annotations: + policies.kyverno.io/title: Metadata Matches Regex in CEL expressions + policies.kyverno.io/category: Other in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Label + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Rather than a simple check to see if given metadata such as labels and annotations are present, + in some cases they need to be present and the values match a specified regular expression. This + policy illustrates how to ensure a label with key `corp.org/version` is both present and matches + a given regex, in this case ensuring semver is met. +spec: + validationFailureAction: Audit + background: false + rules: + - name: check-for-regex + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + has(object.metadata.labels) && 'corp.org/version' in object.metadata.labels && + object.metadata.labels['corp.org/version'].matches('^v[0-9].[0-9].[0-9]$') + message: >- + The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$ + diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..84811c9fc --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,32 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: pdb-maxunavailable +spec: + steps: + - name: step-01 + try: + - apply: + file: ../pdb-maxunavailable.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: pdb-maxunavailable + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pdb-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pdb-bad.yaml + diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml new file mode 100644 index 000000000..48788b23e --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml @@ -0,0 +1,7 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: badpdb01 +spec: + maxUnavailable: 0 + diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml new file mode 100644 index 000000000..d8c6a9e30 --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml @@ -0,0 +1,14 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: goodpdb01 +spec: + minAvailable: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: goodpdb02 +spec: + maxUnavailable: 1 + diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..235426002 --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pdb-maxunavailable +status: + ready: true + diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..e62099f4d --- /dev/null +++ b/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,24 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pdb-maxunavailable +policies: +- ../pdb-maxunavailable.yaml +resources: +- resource.yaml +results: +- kind: PodDisruptionBudget + policy: pdb-maxunavailable + resources: + - kube-system/bad-pdb-zero + - kube-system/bad-pdb-negative-one + result: fail + rule: pdb-maxunavailable +- kind: PodDisruptionBudget + policy: pdb-maxunavailable + resources: + - kube-system/good-pdb + - kube-system/good-pdb-none + result: pass + rule: pdb-maxunavailable + diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml new file mode 100644 index 000000000..d7777edb9 --- /dev/null +++ b/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml @@ -0,0 +1,43 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: good-pdb + namespace: kube-system +spec: + maxUnavailable: 2 + selector: + matchLabels: + app: good +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: good-pdb-none + namespace: kube-system +spec: + selector: + matchLabels: + app: good +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: bad-pdb-zero + namespace: kube-system +spec: + maxUnavailable: 0 + selector: + matchLabels: + app: bad +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: bad-pdb-negative-one + namespace: kube-system +spec: + maxUnavailable: -1 + selector: + matchLabels: + app: bad + diff --git a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml new file mode 100644 index 000000000..efc26a695 --- /dev/null +++ b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: pdb-maxunavailable-cel +version: 1.0.0 +displayName: PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions +description: >- + A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml + ``` +keywords: + - kyverno + - Other + - CEL Expressions +readme: | + A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "PodDisruptionBudget" +digest: 7dff4f3801bce1ca8835c5ebcadaa78e1fa41480a19958eb78aee5bbfcd6b8bf +createdAt: "2024-04-07T10:22:03Z" + diff --git a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml new file mode 100644 index 000000000..4c2da59ae --- /dev/null +++ b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pdb-maxunavailable + annotations: + policies.kyverno.io/title: PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions + policies.kyverno.io/category: Other in CEL + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: PodDisruptionBudget + policies.kyverno.io/description: >- + A PodDisruptionBudget which sets its maxUnavailable value to zero prevents + all voluntary evictions including Node drains which may impact maintenance tasks. + This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field + it must be greater than zero. +spec: + validationFailureAction: Audit + background: false + rules: + - name: pdb-maxunavailable + match: + any: + - resources: + kinds: + - PodDisruptionBudget + validate: + cel: + expressions: + - expression: "!has(object.spec.maxUnavailable) || int(object.spec.maxUnavailable) > 0" + message: "The value of maxUnavailable must be greater than zero." + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..71881a8c8 --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,47 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: prevent-naked-pods +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - apply: + file: ../prevent-bare-pods.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: prevent-bare-pods + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: deployment.yaml + - name: step-03 + try: + - sleep: + duration: 5s + - script: + content: | + if [ $(kubectl get pods -n prevent-naked-pods-ns | grep gooddeployment01 | wc -l) -gt 0 ]; then exit 0; else exit 1; fi + - name: step-99 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n prevent-naked-pods-ns + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml new file mode 100644 index 000000000..c79a4845a --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 + namespace: prevent-naked-pods-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "30"] + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..ed9eca697 --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: prevent-naked-pods-ns + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..cf952a0ce --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..7bd6e6c77 --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: gooddeployment01 + uid: "foo-bar" + name: goodpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..c88574c2e --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-bare-pods +status: + ready: true + diff --git a/other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml b/other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..1a43a336b --- /dev/null +++ b/other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-bare-pods +policies: +- ../prevent-bare-pods.yaml +resources: +- ../.chainsaw-test/pod-bad.yaml +- ../.chainsaw-test/pod-good.yaml +results: +- policy: prevent-bare-pods + rule: bare-pods + kind: Pod + resources: + - badpod01 + result: fail +- policy: prevent-bare-pods + rule: bare-pods + kind: Pod + resources: + - goodpod01 + result: pass + diff --git a/other-cel/prevent-bare-pods/artifacthub-pkg.yml b/other-cel/prevent-bare-pods/artifacthub-pkg.yml new file mode 100644 index 000000000..3917c8200 --- /dev/null +++ b/other-cel/prevent-bare-pods/artifacthub-pkg.yml @@ -0,0 +1,25 @@ +name: prevent-bare-pods-cel +version: 1.0.0 +displayName: Prevent bare Pods in CEL expressions +description: >- + Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production. This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/prevent-bare-pods/prevent-bare-pods.yaml + ``` +keywords: + - kyverno + - Other + - EKS Best Practices + - CEL Expressions +readme: | + Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production. This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other, EKS Best Practices in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 325e1a068bd771c60a304f121675b9d895bcc8abacc7b48054ae4465d51fd158 +createdAt: "2024-04-07T10:47:32Z" + diff --git a/other-cel/prevent-bare-pods/prevent-bare-pods.yaml b/other-cel/prevent-bare-pods/prevent-bare-pods.yaml new file mode 100644 index 000000000..2afe850c7 --- /dev/null +++ b/other-cel/prevent-bare-pods/prevent-bare-pods.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-bare-pods + annotations: + policies.kyverno.io/title: Prevent Bare Pods in CEL expressions + pod-policies.kyverno.io/autogen-controllers: none + policies.kyverno.io/category: Other, EKS Best Practices in CEL + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Pods not created by workload controllers such as Deployments + have no self-healing or scaling abilities and are unsuitable for production. + This policy prevents such "bare" Pods from being created unless they originate + from a higher-level workload controller of some sort. +spec: + validationFailureAction: Audit + background: true + rules: + - name: bare-pods + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "'ownerReferences' in object.metadata" + message: "Bare Pods are not allowed. They must be created by Pod controllers." + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..7816e6083 --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: prevent-cr8escape +spec: + steps: + - name: step-01 + try: + - apply: + file: ../prevent-cr8escape.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..26556887a --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + securityContext: + sysctls: + - name: "bar" + value: "foo" + - name: "foo" + value: "foo=bar" + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + securityContext: + sysctls: + - name: "foo" + value: "foo+bar" + - name: "bar" + value: "foo" + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..487b91d99 --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + securityContext: + sysctls: + - name: "foo" + value: "bar" + - name: "bar" + value: "foo" + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + securityContext: + sysctls: + - name: "foo" + value: "bar" + - name: "bar" + value: "foo" + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..05825db5a --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + securityContext: + sysctls: + - name: "foo" + value: "foo+bar" + - name: "bar" + value: "foo" + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + securityContext: + sysctls: + - name: "bar" + value: "foo" + - name: "foo" + value: "foo=bar" + containers: + - name: busybox + image: busybox:1.35 + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..ed0f0c5fa --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + securityContext: + sysctls: + - name: "foo" + value: "bar" + - name: "bar" + value: "foo" + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + securityContext: + allowPrivilegeEscalation: false + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..1259408f7 --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-cr8escape +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + diff --git a/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml b/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..29a5cc8c5 --- /dev/null +++ b/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-cr8escape +policies: +- ../prevent-cr8escape.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: prevent-cr8escape + resources: + - badpod01 + result: fail + rule: restrict-sysctls-cr8escape +- kind: Pod + policy: prevent-cr8escape + resources: + - pod-sysctl-good + - pod-no-sysctl + result: pass + rule: restrict-sysctls-cr8escape + diff --git a/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml b/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml new file mode 100644 index 000000000..e5ae26766 --- /dev/null +++ b/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "1+kernel.core_pattern=|/var/lib/containers/storage/overlay/3ef1281bce79865599f673b476957be73f994d17c15109d2b6a426711cf753e6/diff/malicious.sh #" + containers: + - name: alpine + image: alpine:latest + command: ["tail", "-f", "/dev/null"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-no-sysctl +spec: + containers: + - name: alpine + image: alpine:latest + command: ["tail", "-f", "/dev/null"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-sysctl-good +spec: + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" + containers: + - name: alpine + image: alpine:latest + command: ["tail", "-f", "/dev/null"] + diff --git a/other-cel/prevent-cr8escape/artifacthub-pkg.yml b/other-cel/prevent-cr8escape/artifacthub-pkg.yml new file mode 100644 index 000000000..afc130c3e --- /dev/null +++ b/other-cel/prevent-cr8escape/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: prevent-cr8escape-cel +version: 1.0.0 +displayName: Prevent cr8escape (CVE-2022-0811) in CEL expressions +description: >- + A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine underpinning Kubernetes allows attackers to escape from a Kubernetes container and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/prevent-cr8escape/prevent-cr8escape.yaml + ``` +keywords: + - kyverno + - Other + - CEL Expressions +readme: | + A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine underpinning Kubernetes allows attackers to escape from a Kubernetes container and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 84a0f441ce5baec6060606a05f2f7f54847e79b48a38c9edc1655e6f0caf8bbf +createdAt: "2024-04-08T10:46:02Z" + diff --git a/other-cel/prevent-cr8escape/prevent-cr8escape.yaml b/other-cel/prevent-cr8escape/prevent-cr8escape.yaml new file mode 100644 index 000000000..dfa8e918e --- /dev/null +++ b/other-cel/prevent-cr8escape/prevent-cr8escape.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-cr8escape + annotations: + policies.kyverno.io/title: Prevent cr8escape (CVE-2022-0811) in CEL expressions + policies.kyverno.io/category: Other in CEL + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine + underpinning Kubernetes allows attackers to escape from a Kubernetes container + and gain root access to the host. The recommended remediation is to disallow + sysctl settings with + or = in their value. +spec: + validationFailureAction: Enforce + background: true + rules: + - name: restrict-sysctls-cr8escape + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + !has(object.spec.securityContext) || !has(object.spec.securityContext.sysctls) || + object.spec.securityContext.sysctls.all(sysctl, !has(sysctl.value) || (!sysctl.value.contains('+') && !sysctl.value.contains('='))) + message: "characters '+' or '=' are not allowed in sysctls values" + diff --git a/other/metadata-match-regex/.kyverno-test/kyverno-test.yaml b/other/metadata-match-regex/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..9e2f2c1f8 --- /dev/null +++ b/other/metadata-match-regex/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,46 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: metadata-match-regex +policies: +- ../metadata-match-regex.yaml +resources: +- ../.chainsaw-test/pod-bad.yaml +- ../.chainsaw-test/pod-good.yaml +- ../.chainsaw-test/podcontroller-bad.yaml +- ../.chainsaw-test/podcontroller-good.yaml +results: +- policy: metadata-match-regex + rule: check-for-regex + kind: Pod + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: Deployment + resources: + - baddeployment01 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: CronJob + resources: + - badcronjob01 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: Deployment + resources: + - gooddeployment01 + result: pass +- policy: metadata-match-regex + rule: check-for-regex + kind: CronJob + resources: + - goodcronjob01 + result: pass + diff --git a/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml b/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml index 649c25ce4..f7e01fe38 100644 --- a/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml +++ b/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml @@ -6,7 +6,7 @@ metadata: kind: Deployment name: gooddeployment01 uid: "foo-bar" - name: godpod01 + name: goodpod01 spec: containers: - name: busybox diff --git a/other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml b/other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..1a43a336b --- /dev/null +++ b/other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-bare-pods +policies: +- ../prevent-bare-pods.yaml +resources: +- ../.chainsaw-test/pod-bad.yaml +- ../.chainsaw-test/pod-good.yaml +results: +- policy: prevent-bare-pods + rule: bare-pods + kind: Pod + resources: + - badpod01 + result: fail +- policy: prevent-bare-pods + rule: bare-pods + kind: Pod + resources: + - goodpod01 + result: pass + diff --git a/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml b/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml index e9dae26dc..b9bb93bba 100644 --- a/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml +++ b/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml @@ -1,7 +1,7 @@ apiVersion: cli.kyverno.io/v1alpha1 kind: Test metadata: - name: restrict- + name: prevent-cr8escape policies: - ../prevent-cr8escape.yaml resources: From a62843584ce46eaf47265c7373362e3fd6fa265d Mon Sep 17 00:00:00 2001 From: Matt Bator Date: Wed, 15 May 2024 10:51:04 -0700 Subject: [PATCH 38/42] Updating immutable location profile policy (#991) Signed-off-by: Matt Bator Co-authored-by: Jim Bugwadia --- .../immutable-location-profile.yaml | 367 ------------------ .../artifacthub-pkg.yml | 22 -- .../k10-immutable-location-profile.yaml | 35 -- .../immutable-location-profile.yaml | 44 +++ .../.kyverno-test/kyverno-test.yaml | 10 +- .../artifacthub-pkg.yml | 25 ++ .../kasten-immutable-location-profile.yaml | 30 ++ 7 files changed, 104 insertions(+), 429 deletions(-) delete mode 100644 kasten/k10-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml delete mode 100644 kasten/k10-immutable-location-profile/artifacthub-pkg.yml delete mode 100644 kasten/k10-immutable-location-profile/k10-immutable-location-profile.yaml create mode 100644 kasten/kasten-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml rename kasten/{k10-immutable-location-profile => kasten-immutable-location-profile}/.kyverno-test/kyverno-test.yaml (59%) create mode 100644 kasten/kasten-immutable-location-profile/artifacthub-pkg.yml create mode 100644 kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml diff --git a/kasten/k10-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml b/kasten/k10-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml deleted file mode 100644 index 642281873..000000000 --- a/kasten/k10-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml +++ /dev/null @@ -1,367 +0,0 @@ -# Standard Kubernetes API Version declaration. Required. -apiVersion: config.kio.kasten.io/v1alpha1 -# Standard Kubernetes Kind declaration. Required. -kind: Profile -# Standard Kubernetes metadata. Required. -metadata: - # Profile name. May be any valid Kubernetes object name. Required. - # Profile name is not mutable once created. - name: sample-location-profile - # Profile namespace. Required. Must be namespace where K10 is installed - namespace: kasten-io -# Profile parameters. Required. -spec: - # Type of Profile. Required - # Valid values are Location, Kanister, Infra - type: Location - - # Only one of the profile type sections can be specified - # NOTE: camelCasing of the key is important - locationSpec: - # Credentials associated with profile location. Required. - credential: - # Type of secret being specified. Required. - # Valid values are: - # # AwsAccessKey (Amazon S3 and Generic S3) - # # GcpServiceAccountKey (Google Cloud Storage) - # # AzStorageAccount (Azure Storage) - # # VBRKey (Veeam Backup & Replication Storage) - secretType: AwsAccessKey - # Reference to K8s secret with credentials of secretType. Required. - secret: - # Standard Kubernetes API Version. Must be 'v1'. Required. - apiVersion: v1 - # Standard Kubernetes Kind declaration. Must be 'secret'. Required. - kind: secret - # Secret name. May be any valid Kubernetes secret name. Required. - name: sample-profile-secret - # Secret namespace. Must be K10 installed namespace . Required. - namespace: kasten-io - # Location for profile data. Required. - location: - # Type of location being specified. Required. - # Valid values are ObjectStore, FileStore, VBR - locationType: ObjectStore - # When the type above is ObjectStore. Required. - # Only one of the location type sections can be specified - objectStore: - # Type of object store. Required - # Valid values are: - # # S3 (Amazon S3 and Generic S3) - # # GCS (Google Cloud Storage) - # # Azure (Azure Storage) - objectStoreType: S3 - # The endpoint for object store API. Optional. - # Can be omitted unless an S3 compatible provider is used. - endpoint: '' - # If set to true, do not verify SSL cert. Optional. - # Default, when omitted, is false - skipSSLVerify: false - # Name of the object store bucket. Required - name: gmm-test - # Region valid for the object store provider. - # Required, if supported by provider. - # If provider does not support region, pass "" - region: us-east-2 - # Path within bucket for profile artifacts. Optional. - # If not used, it will be generated by the system and - # updated during delayed initialization and validation. - # If used, it requires pathType below as well. - path: k10/q4ees3b2zilluaxw/migration - # Type of the path within the bucket above. Optional. - # Defaults to Directory if not specified. - pathType: Directory - # The protection period for immutable backups. Optional. - # Must be shorter than the bucket default retention - # period minus 20 days. - protectionPeriod: 2H - # When the type above is FileStore. Required. - # Only one of the location type sections can be specified - fileStore: - # Name of the Persistent Volume Claim. Required. - claimName: test-pvc - # Path within the PVC mount for profile artifacts. Optional. - # If not used, it will be generated by the system and - # updated during delayed initialization and validation. - path: k10/q4ees3b2zilluaxw/migration - # When the type above is VBR. Required. - # Only one of the location type sections can be specified - vbr: - # Address of the Veeam backup server. Required. - serverAddress: vbr-server - # VBR server RESTful API port number. Optional. - # Defaults to 9419 if not specified. - serverPort: 9419 - # Name of the target Veeam cloud repository for backup files. Required. - repoName: k10-repo - # Identifier of the target Veeam cloud repository for backup files. Optional. - # Reserved field for internal use. Once the profile is created, - # this field will contain the ID of the repository specified in the repoName field. - repoId: 123e4567-e89b-12d3-a456-426614174000 - # If set to true, do not verify SSL cert. Optional. - # Default, when omitted, is false. - skipSSLVerify: false - # Optional: Make export to this profile infra-portable. - # Default: false - infraPortable: false - - # When type above is Kanister - Kanister profile. Required. - # Only one of the profile type sections can be specified - # K10 currently only uses the oldest valid Kanister profile - # NOTE: camelCasing of the key is important - kanister: - # Credentials associated with profile location. Required. - credential: - # same content as credential in location above - # Location for profile data. Required. - location: - # same content as location in location above - - # When type above is Infra - Infrastructure profile. Required. - # Only one of the following profile type sections can be specified - # NOTE: camelCasing of the key is important - infra: - # type of Infrastructure profile. Required - # Valid values are OpenStack, Ceph, Portworx, VSphere, or GCP - type: OpenStack - # When type of this Infra profile above is OpenStack. Required. - # Only one of the following infra profiles can be specified - # NOTE: camelCasing of the key is important - openStack: - # Endpoint for the Keystone auth provider. Required - keystoneEndpoint: https://my-keystone-ip:1234 - - # When type of this Infra profile above is OpenStack. Required. - # Only one of the following infra profiles can be specified - # NOTE: camelCasing of the key is important - ceph: - # Endpoint for the Ceph monitor to be used. Required. - monitor: 10.0.0.10:6789 - # Name of the Ceph pool associated with this profile. Required. - pool: my-ceph-pool - portworx: - # The namespace of the Portworx service. - namespace: kube-system - # The name of the Portworx service. - serviceName: portworx-service - vsphere: - # The vSphere endpoint - serverAddress: vsphere.server.com - # Enable vSphere snapshot tagging - taggingEnabled: true - # The Category Name, automatically set when tagging is enabled. - categoryName: exampleCategory - # Credentials associated with the infrastructure provider. Required. - credential: - # Type of secret being specified. Required. - # Valid values are: - # # OpenStackAccount (OpenStack storage provider) - # # CephKeyring (Ceph storage provider) - # # PortworxKey (Portworx storage provider) - # # VSphereKey (vSphere storage provider) - # # GcpServiceAccountKey (GCP/GCS storage provider) - secretType: OpenStackAccount - # Reference to K8s secret with credentials of secretType. Required. - secret: - # Same format as above - # ##################### -# Status of the Profile. Users should not set any data here. -status: - # Validation status of the Profile - # Valid values are: - # # Pending - profile has been created - # # Running - undergoing initialization and validation - # # Success - successfully initialized and validated - # # Failed - not properly initialized on validated - # Only profiles which have status of Success should be used - validation: Success - # An array of any validation or initialization errors encountered. - error: null - # Hash of the spec portion of the profile. - # Used internally to determine when successfully validated profiles - # need to be reprocessed. - hash: 3369880242 ---- -# Standard Kubernetes API Version declaration. Required. -apiVersion: config.kio.kasten.io/v1alpha1 -# Standard Kubernetes Kind declaration. Required. -kind: Profile -# Standard Kubernetes metadata. Required. -metadata: - # Profile name. May be any valid Kubernetes object name. Required. - # Profile name is not mutable once created. - name: sample-location-profile-invalid - # Profile namespace. Required. Must be namespace where K10 is installed - namespace: kasten-io -# Profile parameters. Required. -spec: - # Type of Profile. Required - # Valid values are Location, Kanister, Infra - type: Location - - # Only one of the profile type sections can be specified - # NOTE: camelCasing of the key is important - locationSpec: - # Credentials associated with profile location. Required. - credential: - # Type of secret being specified. Required. - # Valid values are: - # # AwsAccessKey (Amazon S3 and Generic S3) - # # GcpServiceAccountKey (Google Cloud Storage) - # # AzStorageAccount (Azure Storage) - # # VBRKey (Veeam Backup & Replication Storage) - secretType: AwsAccessKey - # Reference to K8s secret with credentials of secretType. Required. - secret: - # Standard Kubernetes API Version. Must be 'v1'. Required. - apiVersion: v1 - # Standard Kubernetes Kind declaration. Must be 'secret'. Required. - kind: secret - # Secret name. May be any valid Kubernetes secret name. Required. - name: sample-profile-secret - # Secret namespace. Must be K10 installed namespace . Required. - namespace: kasten-io - # Location for profile data. Required. - location: - # Type of location being specified. Required. - # Valid values are ObjectStore, FileStore, VBR - locationType: ObjectStore - # When the type above is ObjectStore. Required. - # Only one of the location type sections can be specified - objectStore: - # Type of object store. Required - # Valid values are: - # # S3 (Amazon S3 and Generic S3) - # # GCS (Google Cloud Storage) - # # Azure (Azure Storage) - objectStoreType: S3 - # The endpoint for object store API. Optional. - # Can be omitted unless an S3 compatible provider is used. - endpoint: '' - # If set to true, do not verify SSL cert. Optional. - # Default, when omitted, is false - skipSSLVerify: false - # Name of the object store bucket. Required - name: gmm-test - # Region valid for the object store provider. - # Required, if supported by provider. - # If provider does not support region, pass "" - region: us-east-2 - # Path within bucket for profile artifacts. Optional. - # If not used, it will be generated by the system and - # updated during delayed initialization and validation. - # If used, it requires pathType below as well. - path: k10/q4ees3b2zilluaxw/migration - # Type of the path within the bucket above. Optional. - # Defaults to Directory if not specified. - pathType: Directory - # The protection period for immutable backups. Optional. - # Must be shorter than the bucket default retention - # period minus 20 days. - #protectionPeriod: 2H - # When the type above is FileStore. Required. - # Only one of the location type sections can be specified - fileStore: - # Name of the Persistent Volume Claim. Required. - claimName: test-pvc - # Path within the PVC mount for profile artifacts. Optional. - # If not used, it will be generated by the system and - # updated during delayed initialization and validation. - path: k10/q4ees3b2zilluaxw/migration - # When the type above is VBR. Required. - # Only one of the location type sections can be specified - vbr: - # Address of the Veeam backup server. Required. - serverAddress: vbr-server - # VBR server RESTful API port number. Optional. - # Defaults to 9419 if not specified. - serverPort: 9419 - # Name of the target Veeam cloud repository for backup files. Required. - repoName: k10-repo - # Identifier of the target Veeam cloud repository for backup files. Optional. - # Reserved field for internal use. Once the profile is created, - # this field will contain the ID of the repository specified in the repoName field. - repoId: 123e4567-e89b-12d3-a456-426614174000 - # If set to true, do not verify SSL cert. Optional. - # Default, when omitted, is false. - skipSSLVerify: false - # Optional: Make export to this profile infra-portable. - # Default: false - infraPortable: false - - # When type above is Kanister - Kanister profile. Required. - # Only one of the profile type sections can be specified - # K10 currently only uses the oldest valid Kanister profile - # NOTE: camelCasing of the key is important - kanister: - # Credentials associated with profile location. Required. - credential: - # same content as credential in location above - # Location for profile data. Required. - location: - # same content as location in location above - - # When type above is Infra - Infrastructure profile. Required. - # Only one of the following profile type sections can be specified - # NOTE: camelCasing of the key is important - infra: - # type of Infrastructure profile. Required - # Valid values are OpenStack, Ceph, Portworx, VSphere, or GCP - type: OpenStack - # When type of this Infra profile above is OpenStack. Required. - # Only one of the following infra profiles can be specified - # NOTE: camelCasing of the key is important - openStack: - # Endpoint for the Keystone auth provider. Required - keystoneEndpoint: https://my-keystone-ip:1234 - - # When type of this Infra profile above is OpenStack. Required. - # Only one of the following infra profiles can be specified - # NOTE: camelCasing of the key is important - ceph: - # Endpoint for the Ceph monitor to be used. Required. - monitor: 10.0.0.10:6789 - # Name of the Ceph pool associated with this profile. Required. - pool: my-ceph-pool - portworx: - # The namespace of the Portworx service. - namespace: kube-system - # The name of the Portworx service. - serviceName: portworx-service - vsphere: - # The vSphere endpoint - serverAddress: vsphere.server.com - # Enable vSphere snapshot tagging - taggingEnabled: true - # The Category Name, automatically set when tagging is enabled. - categoryName: exampleCategory - # Credentials associated with the infrastructure provider. Required. - credential: - # Type of secret being specified. Required. - # Valid values are: - # # OpenStackAccount (OpenStack storage provider) - # # CephKeyring (Ceph storage provider) - # # PortworxKey (Portworx storage provider) - # # VSphereKey (vSphere storage provider) - # # GcpServiceAccountKey (GCP/GCS storage provider) - secretType: OpenStackAccount - # Reference to K8s secret with credentials of secretType. Required. - secret: - # Same format as above - # ##################### -# Status of the Profile. Users should not set any data here. -status: - # Validation status of the Profile - # Valid values are: - # # Pending - profile has been created - # # Running - undergoing initialization and validation - # # Success - successfully initialized and validated - # # Failed - not properly initialized on validated - # Only profiles which have status of Success should be used - validation: Success - # An array of any validation or initialization errors encountered. - error: null - # Hash of the spec portion of the profile. - # Used internally to determine when successfully validated profiles - # need to be reprocessed. - hash: 3369880242 \ No newline at end of file diff --git a/kasten/k10-immutable-location-profile/artifacthub-pkg.yml b/kasten/k10-immutable-location-profile/artifacthub-pkg.yml deleted file mode 100644 index 03e24efee..000000000 --- a/kasten/k10-immutable-location-profile/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: k10-immutable-location-profile -version: 1.0.0 -displayName: Check Immutable Location Profile -createdAt: "2023-04-10T20:12:53.000Z" -description: >- - K10 Object Storage Location Profiles store K10 RestorePoints (App Backups) for import and export operations. AWS S3 or S3 compatible object storage that supports object lock can store immutable backups. Immutability is typically not enabled by default due to the increased costs of retaining storage. This policy checks that the Profile contains a 'protectionPeriod' which is the main configuration for immutability. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-immutable-location-profile/k10-immutable-location-profile.yaml - ``` -keywords: - - kyverno - - Kasten K10 by Veeam -readme: | - K10 Object Storage Location Profiles store K10 RestorePoints (App Backups) for import and export operations. AWS S3 or S3 compatible object storage that supports object lock can store immutable backups. Immutability is typically not enabled by default due to the increased costs of retaining storage. This policy checks that the Profile contains a 'protectionPeriod' which is the main configuration for immutability. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Kasten K10 by Veeam" - kyverno/kubernetesVersion: "1.21-1.22" - kyverno/subject: "Profile" -digest: f76aedc9c9e5b48c5148aad39e28a73cfe5cab2a378c9046be1ca1e3b4592ba2 diff --git a/kasten/k10-immutable-location-profile/k10-immutable-location-profile.yaml b/kasten/k10-immutable-location-profile/k10-immutable-location-profile.yaml deleted file mode 100644 index e3c027980..000000000 --- a/kasten/k10-immutable-location-profile/k10-immutable-location-profile.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-immutable-location-profile - annotations: - policies.kyverno.io/title: Check Immutable Location Profile - policies.kyverno.io/category: Kasten K10 by Veeam - kyverno.io/kyverno-version: 1.6.2 - policies.kyverno.io/minversion: 1.6.2 - kyverno.io/kubernetes-version: "1.21-1.22" - policies.kyverno.io/subject: Profile - policies.kyverno.io/description: >- - K10 Object Storage Location Profiles store K10 RestorePoints (App Backups) for import and export operations. - AWS S3 or S3 compatible object storage that supports object lock can store immutable backups. - Immutability is typically not enabled by default due to the increased costs of retaining storage. - This policy checks that the Profile contains a 'protectionPeriod' which is the main configuration for immutability. -spec: - validationFailureAction: audit - rules: - - name: k10-immutable-location-profile - match: - any: - - resources: - kinds: - - config.kio.kasten.io/v1alpha1/Profile - validate: - message: "Location Profile is not immutable (err: did not configure 'protectionPeriod')" - pattern: - spec: - type: Location - locationSpec: - location: - locationType: ObjectStore - objectStore: - protectionPeriod: "?*" # any value determines immutability is enabled diff --git a/kasten/kasten-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml b/kasten/kasten-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml new file mode 100644 index 000000000..580281ec6 --- /dev/null +++ b/kasten/kasten-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml @@ -0,0 +1,44 @@ +kind: Profile +apiVersion: config.kio.kasten.io/v1alpha1 +metadata: + name: sample-location-profile +spec: + locationSpec: + type: ObjectStore + objectStore: + name: k10demo-immutable + objectStoreType: S3 + path: k10/xxxxxxxxxxxxxxxxxxxxxx/migration + pathType: Directory + protectionPeriod: 72h0m0s + region: us-east-1 + credential: + secretType: AwsAccessKey + secret: + apiVersion: v1 + kind: secret + name: k10secret-abcde + namespace: kasten-io + type: Location +--- +kind: Profile +apiVersion: config.kio.kasten.io/v1alpha1 +metadata: + name: sample-location-profile-invalid +spec: + locationSpec: + type: ObjectStore + objectStore: + name: k10demo-immutable + objectStoreType: S3 + path: k10/xxxxxxxxxxxxxxxxxxxxxx/migration + pathType: Directory + region: us-east-1 + credential: + secretType: AwsAccessKey + secret: + apiVersion: v1 + kind: secret + name: k10secret-abcde + namespace: kasten-io + type: Location \ No newline at end of file diff --git a/kasten/k10-immutable-location-profile/.kyverno-test/kyverno-test.yaml b/kasten/kasten-immutable-location-profile/.kyverno-test/kyverno-test.yaml similarity index 59% rename from kasten/k10-immutable-location-profile/.kyverno-test/kyverno-test.yaml rename to kasten/kasten-immutable-location-profile/.kyverno-test/kyverno-test.yaml index 727282086..7be5a1240 100644 --- a/kasten/k10-immutable-location-profile/.kyverno-test/kyverno-test.yaml +++ b/kasten/kasten-immutable-location-profile/.kyverno-test/kyverno-test.yaml @@ -3,19 +3,19 @@ kind: Test metadata: name: kyverno_data_protection_tests policies: -- ../k10-immutable-location-profile.yaml +- ../kasten-immutable-location-profile.yaml resources: - immutable-location-profile.yaml results: - kind: Profile - policy: k10-immutable-location-profile + policy: kasten-immutable-location-profile resources: - sample-location-profile-invalid result: fail - rule: k10-immutable-location-profile + rule: kasten-immutable-location-profile - kind: Profile - policy: k10-immutable-location-profile + policy: kasten-immutable-location-profile resources: - sample-location-profile result: pass - rule: k10-immutable-location-profile + rule: kasten-immutable-location-profile diff --git a/kasten/kasten-immutable-location-profile/artifacthub-pkg.yml b/kasten/kasten-immutable-location-profile/artifacthub-pkg.yml new file mode 100644 index 000000000..2f2e0cff9 --- /dev/null +++ b/kasten/kasten-immutable-location-profile/artifacthub-pkg.yml @@ -0,0 +1,25 @@ +name: kasten-immutable-location-profile +version: 1.0.1 +displayName: Check Kasten Location Profile is Immutable +createdAt: "2023-05-07T00:00:00.000Z" +description: >- + Veeam Kasten supports backup of Kubernetes applications to repositories, called Location Profiles, with immutability enabled. This can prevent inadvertent or malicious deletion of backup data. This policy validates that immutability is enabled on Location Profiles. + + Refer to Kasten documentation for details on supported platforms and enabling immutability: https://docs.kasten.io +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml + ``` +keywords: + - kyverno + - Veeam Kasten +readme: | + Veeam Kasten supports backup of Kubernetes applications to repositories, called Location Profiles, with immutability enabled. This can prevent inadvertent or malicious deletion of backup data. This policy validates that immutability is enabled on Location Profiles. + + Refer to Kasten documentation for details on supported platforms and enabling immutability: https://docs.kasten.io + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Veeam Kasten" + kyverno/kubernetesVersion: "1.25-1.30" + kyverno/subject: "Profile" +digest: ce791f8a79f4ea61d34c8531b96bad640dd09b5b3d7958a3e0f67886c771a0a8 diff --git a/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml b/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml new file mode 100644 index 000000000..fb327553a --- /dev/null +++ b/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kasten-immutable-location-profile + annotations: + policies.kyverno.io/title: Check Kasten Location Profile is Immutable + policies.kyverno.io/category: Veeam Kasten + policies.kyverno.io/subject: config.kio.kasten.io/v1alpha1/Profile + kyverno.io/kyverno-version: 1.12.1 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.25-1.30" + policies.kyverno.io/description: >- + Ensure Kasten Location Profiles have enabled immutability to prevent unintentional or malicious changes to backup data. +spec: + validationFailureAction: Audit + rules: + - name: kasten-immutable-location-profile + match: + resources: + kinds: + - Profile + validate: + message: >- + All Kasten Location Profiles must have immutability enabled. + pattern: + spec: + (type): Location + locationSpec: + objectStore: + protectionPeriod: "*" \ No newline at end of file From 783aea33d600a2d6db39b4d4116098b2607fec3b Mon Sep 17 00:00:00 2001 From: Matt Bator Date: Wed, 15 May 2024 10:51:53 -0700 Subject: [PATCH 39/42] Updating Kasten 3-2-1 backup policy (#993) * Updating Kasten 3-2-1 backup clusterpolicy Signed-off-by: Matt Bator * Updating Kasten 3-2-1 backup policy Chainsaw test Signed-off-by: Matt Bator * Update chainsaw-step-01-assert-1.yaml Signed-off-by: Matt Bator --------- Signed-off-by: Matt Bator Co-authored-by: Jim Bugwadia --- kasten/k10-3-2-1-backup/artifacthub-pkg.yml | 22 ---------- kasten/k10-3-2-1-backup/k10-3-2-1-backup.yaml | 36 ----------------- .../chainsaw-step-01-assert-1.yaml | 2 +- .../chainsaw-step-01-assert-2.yaml | 0 .../.chainsaw-test/chainsaw-test.yaml | 6 +-- .../.chainsaw-test/k10-bad-policy.yaml | 0 .../.chainsaw-test/k10-good-policy.yaml | 0 .../.kyverno-test/kasten-backup-policy.yaml} | 0 .../.kyverno-test/kyverno-test.yaml | 12 +++--- .../kasten-3-2-1-backup/artifacthub-pkg.yml | 26 ++++++++++++ .../kasten-3-2-1-backup.yaml | 40 +++++++++++++++++++ 11 files changed, 76 insertions(+), 68 deletions(-) delete mode 100644 kasten/k10-3-2-1-backup/artifacthub-pkg.yml delete mode 100644 kasten/k10-3-2-1-backup/k10-3-2-1-backup.yaml rename kasten/{k10-3-2-1-backup => kasten-3-2-1-backup}/.chainsaw-test/chainsaw-step-01-assert-1.yaml (69%) rename kasten/{k10-3-2-1-backup => kasten-3-2-1-backup}/.chainsaw-test/chainsaw-step-01-assert-2.yaml (100%) rename kasten/{k10-3-2-1-backup => kasten-3-2-1-backup}/.chainsaw-test/chainsaw-test.yaml (86%) rename kasten/{k10-3-2-1-backup => kasten-3-2-1-backup}/.chainsaw-test/k10-bad-policy.yaml (100%) rename kasten/{k10-3-2-1-backup => kasten-3-2-1-backup}/.chainsaw-test/k10-good-policy.yaml (100%) rename kasten/{k10-3-2-1-backup/.kyverno-test/k10-backup-policy.yaml => kasten-3-2-1-backup/.kyverno-test/kasten-backup-policy.yaml} (100%) rename kasten/{k10-3-2-1-backup => kasten-3-2-1-backup}/.kyverno-test/kyverno-test.yaml (58%) create mode 100644 kasten/kasten-3-2-1-backup/artifacthub-pkg.yml create mode 100644 kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml diff --git a/kasten/k10-3-2-1-backup/artifacthub-pkg.yml b/kasten/k10-3-2-1-backup/artifacthub-pkg.yml deleted file mode 100644 index 10aa0c9b9..000000000 --- a/kasten/k10-3-2-1-backup/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: k10-3-2-1-backup -version: 1.0.0 -displayName: Check 3-2-1 Backup Policy -createdAt: "2023-04-10T20:12:53.000Z" -description: >- - The rule of 3-2-1 recommends that you have at least 3 copies of data, on 2 different storage targets, and 1 being offsite. 3-2-1 ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In K8s/K10, this translates to the original StatefulSet (the original PersistentVolumeClaim), a backup (a snapshot of the PVC on prod storage), and an export to cloud object storage (a secondary cloud copy of the PVC snapshot). -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-3-2-1-backup/k10-3-2-1-backup.yaml - ``` -keywords: - - kyverno - - Kasten K10 by Veeam -readme: | - The rule of 3-2-1 recommends that you have at least 3 copies of data, on 2 different storage targets, and 1 being offsite. 3-2-1 ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In K8s/K10, this translates to the original StatefulSet (the original PersistentVolumeClaim), a backup (a snapshot of the PVC on prod storage), and an export to cloud object storage (a secondary cloud copy of the PVC snapshot). - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Kasten K10 by Veeam" - kyverno/kubernetesVersion: "1.21-1.22" - kyverno/subject: "Policy" -digest: 59ba16d449fd7ea59307d5609bd3300058a85a1d388df4ddbe8220e66edcb86a diff --git a/kasten/k10-3-2-1-backup/k10-3-2-1-backup.yaml b/kasten/k10-3-2-1-backup/k10-3-2-1-backup.yaml deleted file mode 100644 index 3166e9bfe..000000000 --- a/kasten/k10-3-2-1-backup/k10-3-2-1-backup.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-3-2-1-backup-policy - annotations: - policies.kyverno.io/title: Check 3-2-1 Backup Policy - policies.kyverno.io/category: Kasten K10 by Veeam - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.2 - policies.kyverno.io/minversion: 1.6.2 - kyverno.io/kubernetes-version: "1.21-1.22" - policies.kyverno.io/subject: Policy - policies.kyverno.io/description: >- - The rule of 3-2-1 recommends that you have at least 3 copies of data, on 2 different storage targets, and 1 being offsite. - 3-2-1 ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. - In K8s/K10, this translates to the original StatefulSet (the original PersistentVolumeClaim), a backup (a snapshot of the PVC on prod storage), - and an export to cloud object storage (a secondary cloud copy of the PVC snapshot). -spec: - validationFailureAction: audit - rules: - - name: k10-3-2-1-backup-policy - match: - any: - - resources: - kinds: - - config.kio.kasten.io/v1alpha1/Policy - validate: - message: "The rule of 3-2-1 recommends you have 'action: backup' followed by an 'action: export' defined in the backup Policy." - deny: - conditions: - all: - - key: - - backup - - export - operator: AllNotIn - value: "{{ request.object.spec.actions[].action }}" diff --git a/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml similarity index 69% rename from kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 6a2d17d12..5f75f24ec 100755 --- a/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -1,6 +1,6 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: k10-3-2-1-backup-policy + name: kasten-3-2-1-backup-policy status: ready: true diff --git a/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-2.yaml similarity index 100% rename from kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-2.yaml diff --git a/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml similarity index 86% rename from kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml rename to kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml index 0cd111c56..3e4059a14 100755 --- a/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml +++ b/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml @@ -3,19 +3,19 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null - name: k10-3-2-1-backup + name: kasten-3-2-1-backup spec: steps: - name: step-01 try: - apply: - file: ../k10-3-2-1-backup.yaml + file: ../kasten-3-2-1-backup.yaml - patch: resource: apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: k10-3-2-1-backup-policy + name: kasten-3-2-1-backup-policy spec: validationFailureAction: Enforce - assert: diff --git a/kasten/k10-3-2-1-backup/.chainsaw-test/k10-bad-policy.yaml b/kasten/kasten-3-2-1-backup/.chainsaw-test/k10-bad-policy.yaml similarity index 100% rename from kasten/k10-3-2-1-backup/.chainsaw-test/k10-bad-policy.yaml rename to kasten/kasten-3-2-1-backup/.chainsaw-test/k10-bad-policy.yaml diff --git a/kasten/k10-3-2-1-backup/.chainsaw-test/k10-good-policy.yaml b/kasten/kasten-3-2-1-backup/.chainsaw-test/k10-good-policy.yaml similarity index 100% rename from kasten/k10-3-2-1-backup/.chainsaw-test/k10-good-policy.yaml rename to kasten/kasten-3-2-1-backup/.chainsaw-test/k10-good-policy.yaml diff --git a/kasten/k10-3-2-1-backup/.kyverno-test/k10-backup-policy.yaml b/kasten/kasten-3-2-1-backup/.kyverno-test/kasten-backup-policy.yaml similarity index 100% rename from kasten/k10-3-2-1-backup/.kyverno-test/k10-backup-policy.yaml rename to kasten/kasten-3-2-1-backup/.kyverno-test/kasten-backup-policy.yaml diff --git a/kasten/k10-3-2-1-backup/.kyverno-test/kyverno-test.yaml b/kasten/kasten-3-2-1-backup/.kyverno-test/kyverno-test.yaml similarity index 58% rename from kasten/k10-3-2-1-backup/.kyverno-test/kyverno-test.yaml rename to kasten/kasten-3-2-1-backup/.kyverno-test/kyverno-test.yaml index 4afc6e8cf..65fdb0a26 100644 --- a/kasten/k10-3-2-1-backup/.kyverno-test/kyverno-test.yaml +++ b/kasten/kasten-3-2-1-backup/.kyverno-test/kyverno-test.yaml @@ -3,19 +3,19 @@ kind: Test metadata: name: kyverno_data_protection_tests policies: -- ../k10-3-2-1-backup.yaml +- ../kasten-3-2-1-backup.yaml resources: -- k10-backup-policy.yaml +- kasten-backup-policy.yaml results: - kind: Policy - policy: k10-3-2-1-backup-policy + policy: kasten-3-2-1-backup-policy resources: - sample-custom-backup-policy-invalid result: fail - rule: k10-3-2-1-backup-policy + rule: kasten-3-2-1-backup-policy - kind: Policy - policy: k10-3-2-1-backup-policy + policy: kasten-3-2-1-backup-policy resources: - sample-custom-backup-policy result: pass - rule: k10-3-2-1-backup-policy + rule: kasten-3-2-1-backup-policy diff --git a/kasten/kasten-3-2-1-backup/artifacthub-pkg.yml b/kasten/kasten-3-2-1-backup/artifacthub-pkg.yml new file mode 100644 index 000000000..8306e860d --- /dev/null +++ b/kasten/kasten-3-2-1-backup/artifacthub-pkg.yml @@ -0,0 +1,26 @@ +name: kasten-3-2-1-backup +version: 1.0.1 +displayName: Check Kasten 3-2-1 Backup Policy +createdAt: "2023-05-07T00:00:00.000Z" +description: >- + The 3-2-1 rule of data protection recommends that you have at least 3 copies of data, on 2 different storage targets, with 1 being offsite. This approach ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In Kubernetes, this translates to the original running resources, a local snapshot, and a copy of all application resources and volume data exported to an external repository. + + This policy accomplishes 3-2-1 validation by ensuring each policy contains both 'action: backup' and 'action: export'. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml + ``` +keywords: + - kyverno + - Veeam Kasten +readme: | + The 3-2-1 rule of data protection recommends that you have at least 3 copies of data, on 2 different storage targets, with 1 being offsite. This approach ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In Kubernetes, this translates to the original running resources, a local snapshot, and a copy of all application resources and volume data exported to an external repository. + + This policy accomplishes 3-2-1 validation by ensuring each policy contains both 'action: backup' and 'action: export'. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Veeam Kasten" + kyverno/kubernetesVersion: "1.24-1.30" + kyverno/subject: "Policy" +digest: 45c8d345b2188ec47fe8b38a417726b7eae951edf18d770abdb602faec7d30a4 diff --git a/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml b/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml new file mode 100644 index 000000000..e898dd10d --- /dev/null +++ b/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kasten-3-2-1-backup-policy + annotations: + policies.kyverno.io/title: Check Kasten 3-2-1 Backup Policy + policies.kyverno.io/category: Veeam Kasten + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.12.1 + policies.kyverno.io/minversion: 1.12.0 + kyverno.io/kubernetes-version: "1.24-1.30" + policies.kyverno.io/subject: Policy + policies.kyverno.io/description: >- + The 3-2-1 rule of data protection recommends that you have at least 3 copies of data, on 2 different storage targets, with 1 being offsite. This approach ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In Kubernetes, this translates to the original running resources, a local snapshot, and a copy of all application resources and volume data exported to an external repository. + + This policy accomplishes 3-2-1 validation by ensuring each policy contains both 'action: backup' and 'action: export'. +spec: + validationFailureAction: Audit + rules: + - name: kasten-3-2-1-backup-policy + match: + any: + - resources: + kinds: + - config.kio.kasten.io/v1alpha1/Policy + exclude: + any: + - resources: + operations: + - DELETE + validate: + message: "The Kasten 3-2-1 policy requires both 'action: backup' and 'action: export' be defined in the Policy." + deny: + conditions: + all: + - key: + - backup + - export + operator: AnyNotIn + value: "{{ request.object.spec.actions[].action }}" From e2d46733859e24b656ccdeaabe8bdb36bffbc159 Mon Sep 17 00:00:00 2001 From: Matt Bator Date: Wed, 15 May 2024 10:52:37 -0700 Subject: [PATCH 40/42] Update Kasten generate policy by preset label ClusterPolicy (#1002) * Update generate-policy-by-preset-label ClusterPolicy Signed-off-by: Matt Bator * Update chainsaw test resource naming Signed-off-by: Matt Bator --------- Signed-off-by: Matt Bator Co-authored-by: Jim Bugwadia --- .../artifacthub-pkg.yml | 22 ----------- .../chainsaw-step-01-apply-1.yaml | 0 .../chainsaw-step-01-assert-1.yaml | 0 .../chainsaw-step-03-apply-1.yaml | 0 .../chainsaw-step-03-apply-2.yaml | 0 .../chainsaw-step-03-apply-3.yaml | 0 .../chainsaw-step-03-apply-4.yaml | 0 .../chainsaw-step-03-apply-5.yaml | 2 +- .../chainsaw-step-03-apply-6.yaml | 0 .../.chainsaw-test/chainsaw-test.yaml | 4 +- .../.chainsaw-test/generated-policy.yaml | 0 .../.chainsaw-test/not-generated-policy.yaml | 4 +- .../.chainsaw-test/policy-ready.yaml | 2 +- .../.kyverno-test/generatedResource.yaml | 0 .../.kyverno-test/kyverno-test.yaml | 8 ++-- .../.kyverno-test/test-resource.yaml | 0 .../.kyverno-test/test-values.yaml | 4 +- .../artifacthub-pkg.yml | 27 +++++++++++++ ...sten-generate-policy-by-preset-label.yaml} | 39 +++++++++---------- 19 files changed, 58 insertions(+), 54 deletions(-) delete mode 100644 kasten/k10-generate-policy-by-preset-label/artifacthub-pkg.yml rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/chainsaw-step-01-apply-1.yaml (100%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/chainsaw-step-01-assert-1.yaml (100%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/chainsaw-step-03-apply-1.yaml (100%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/chainsaw-step-03-apply-2.yaml (100%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/chainsaw-step-03-apply-3.yaml (100%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/chainsaw-step-03-apply-4.yaml (100%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/chainsaw-step-03-apply-5.yaml (73%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/chainsaw-step-03-apply-6.yaml (100%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/chainsaw-test.yaml (89%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/generated-policy.yaml (100%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/not-generated-policy.yaml (92%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.chainsaw-test/policy-ready.yaml (62%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.kyverno-test/generatedResource.yaml (100%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.kyverno-test/kyverno-test.yaml (55%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.kyverno-test/test-resource.yaml (100%) rename kasten/{k10-generate-policy-by-preset-label => kasten-generate-policy-by-preset-label}/.kyverno-test/test-values.yaml (66%) create mode 100644 kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml rename kasten/{k10-generate-policy-by-preset-label/k10-generate-policy-by-preset-label.yaml => kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml} (61%) diff --git a/kasten/k10-generate-policy-by-preset-label/artifacthub-pkg.yml b/kasten/k10-generate-policy-by-preset-label/artifacthub-pkg.yml deleted file mode 100644 index f2f0a0261..000000000 --- a/kasten/k10-generate-policy-by-preset-label/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: k10-generate-policy-by-preset-label -version: 1.0.0 -displayName: Generate Backup Policy by Preset -createdAt: "2023-04-10T20:12:53.000Z" -description: >- - Generate a K10 backup policy for a namespace that includes a valid "dataprotection" label, if the policy does not already exist. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-generate-policy-by-preset-label/k10-generate-policy-by-preset-label.yaml - ``` -keywords: - - kyverno - - Kasten K10 by Veeam -readme: | - Generate a K10 backup policy for a namespace that includes a valid "dataprotection" label, if the policy does not already exist. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Kasten K10 by Veeam" - kyverno/kubernetesVersion: "1.23" - kyverno/subject: "Policy" -digest: cf651866d9e5fa4c77b0a7a8d5e816d30624f61816ed199ecdb9b498f097fe06 diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-apply-1.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-apply-1.yaml similarity index 100% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-apply-1.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-apply-1.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml similarity index 100% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-1.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-1.yaml similarity index 100% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-1.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-1.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-2.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-2.yaml similarity index 100% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-2.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-2.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-3.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-3.yaml similarity index 100% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-3.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-3.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-4.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-4.yaml similarity index 100% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-4.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-4.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml similarity index 73% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml index 87f813500..ed298e4d9 100755 --- a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml +++ b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml @@ -2,5 +2,5 @@ apiVersion: v1 kind: Namespace metadata: labels: - dataprotection: nothing + dataprotection: none name: k10-gp-label-ns04 diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-6.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-6.yaml similarity index 100% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-6.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-6.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml similarity index 89% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml index e7857abcc..ba2a4623f 100755 --- a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml +++ b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml @@ -3,7 +3,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null - name: k10-generate-policy-by-preset-label + name: kasten-generate-policy-by-preset-label spec: steps: - name: step-01 @@ -15,7 +15,7 @@ spec: - name: step-02 try: - apply: - file: ../k10-generate-policy-by-preset-label.yaml + file: ../kasten-generate-policy-by-preset-label.yaml - assert: file: policy-ready.yaml - name: step-03 diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/generated-policy.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/generated-policy.yaml similarity index 100% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/generated-policy.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/generated-policy.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml similarity index 92% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml index f938c3623..a63f570c1 100644 --- a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml +++ b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml @@ -1,7 +1,7 @@ apiVersion: config.kio.kasten.io/v1alpha1 kind: Policy metadata: - name: k10-gp-label-ns04-nothing-backup + name: k10-gp-label-ns04-none-backup namespace: kasten-io spec: comment: "Auto-generated by Kyverno" @@ -9,7 +9,7 @@ spec: actions: - action: backup presetRef: - name: nothing + name: none namespace: kasten-io selector: matchExpressions: diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml similarity index 62% rename from kasten/k10-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml rename to kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml index 279f86de4..5273b5370 100644 --- a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml +++ b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml @@ -1,6 +1,6 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: k10-generate-policy-by-preset-label + name: kasten-generate-policy-by-preset-label status: ready: true \ No newline at end of file diff --git a/kasten/k10-generate-policy-by-preset-label/.kyverno-test/generatedResource.yaml b/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/generatedResource.yaml similarity index 100% rename from kasten/k10-generate-policy-by-preset-label/.kyverno-test/generatedResource.yaml rename to kasten/kasten-generate-policy-by-preset-label/.kyverno-test/generatedResource.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml b/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml similarity index 55% rename from kasten/k10-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml rename to kasten/kasten-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml index 8ab63d8a9..82b54ec1a 100644 --- a/kasten/k10-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml +++ b/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml @@ -1,17 +1,17 @@ apiVersion: cli.kyverno.io/v1alpha1 kind: Test metadata: - name: k10-generate-policy-by-preset-label-test + name: kasten-generate-policy-by-preset-label-test policies: -- ../k10-generate-policy-by-preset-label.yaml +- ../kasten-generate-policy-by-preset-label.yaml resources: - test-resource.yaml results: - generatedResource: generatedResource.yaml kind: Namespace - policy: k10-generate-policy-by-preset-label + policy: kasten-generate-policy-by-preset-label resources: - test-namespace result: pass - rule: k10-generate-policy-by-preset-label + rule: kasten-generate-policy-by-preset-label variables: test-values.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.kyverno-test/test-resource.yaml b/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-resource.yaml similarity index 100% rename from kasten/k10-generate-policy-by-preset-label/.kyverno-test/test-resource.yaml rename to kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-resource.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.kyverno-test/test-values.yaml b/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-values.yaml similarity index 66% rename from kasten/k10-generate-policy-by-preset-label/.kyverno-test/test-values.yaml rename to kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-values.yaml index a1dd29ca5..ce3a6450f 100644 --- a/kasten/k10-generate-policy-by-preset-label/.kyverno-test/test-values.yaml +++ b/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-values.yaml @@ -1,12 +1,12 @@ apiVersion: cli.kyverno.io/v1alpha1 kind: Values policies: -- name: k10-generate-policy-by-preset-label +- name: kasten-generate-policy-by-preset-label resources: - name: test-namespace values: request.namespace: test-namespace rules: - - name: k10-generate-policy-by-preset-label + - name: kasten-generate-policy-by-preset-label values: existingPolicy: 0 diff --git a/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml b/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml new file mode 100644 index 000000000..52a146446 --- /dev/null +++ b/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml @@ -0,0 +1,27 @@ +name: kasten-generate-policy-by-preset-label +version: 1.0.1 +displayName: Generate Kasten Policy from Preset +createdAt: "2023-05-07T00:00:00.000Z" +description: >- + Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. + + Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-generate-policy-by-preset-label/create-kasten-policies-clusterrole.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml + ``` +keywords: + - kyverno + - Veeam Kasten +readme: | + Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. + + Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Veeam Kasten" + kyverno/kubernetesVersion: "1.24-1.30" + kyverno/subject: "Policy" +digest: 99bafb98c4f5f3c93423414fc8c6bbed9226b6e056d5d65d2d2873290e86d1df diff --git a/kasten/k10-generate-policy-by-preset-label/k10-generate-policy-by-preset-label.yaml b/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml similarity index 61% rename from kasten/k10-generate-policy-by-preset-label/k10-generate-policy-by-preset-label.yaml rename to kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml index d743c1e7c..c558b6b77 100644 --- a/kasten/k10-generate-policy-by-preset-label/k10-generate-policy-by-preset-label.yaml +++ b/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml @@ -1,30 +1,29 @@ -# NOTE: This example assumes that K10 policy presets named "gold", "silver", and "bronze" have been pre-created and K10 was deployed into the `kasten-io` namespace. And the kyverno:generate ClusterRole has been updated with the following additional permissions: -# - apiGroups: -# - config.kio.kasten.io -# resources: -# - policies -# verbs: -# - create -# - update -# - list -# - get +# This example assumes that Kasten policy presets named +# "gold", "silver", and "bronze" have been pre-created +# and Kasten was deployed into the `kasten-io` namespace. +# +# Additionally, the Kyverno background controller requires +# additional permissions to create Kasten Policy resources. +# Apply the create-kasten-policies-clusterrole.yaml manifest +# first to grant the required permissions. apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: k10-generate-policy-by-preset-label + name: kasten-generate-policy-by-preset-label annotations: - policies.kyverno.io/title: Generate Backup Policy by Preset - policies.kyverno.io/category: Kasten K10 by Veeam + policies.kyverno.io/title: Generate Kasten Policy from Preset + policies.kyverno.io/category: Veeam Kasten policies.kyverno.io/subject: Policy - kyverno.io/kyverno-version: 1.9.0 - policies.kyverno.io/minversion: 1.9.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.12.1 + policies.kyverno.io/minversion: 1.12.0 + kyverno.io/kubernetes-version: "1.24-1.30" policies.kyverno.io/description: >- - Generate a K10 backup policy for a namespace that includes a valid "dataprotection" label, if the policy does not already exist. + Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. + + Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. spec: - background: false rules: - - name: k10-generate-policy-by-preset-label + - name: kasten-generate-policy-by-preset-label match: any: - resources: @@ -41,7 +40,7 @@ spec: context: - name: existingPolicy apiCall: - urlPath: "/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies/" # returns list of K10 policies from kasten-io namespace + urlPath: "/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies" # returns list of Kasten policies from kasten-io namespace jmesPath: "items[][[@.spec.presetRef][?name=='{{ request.object.metadata.labels.dataprotection }}'] && [@.spec.selector.matchExpressions[].values[?@=='{{ request.namespace }}']]][][][][] | length(@)" # queries if a policy based on the dataprotection label value, covering that app namespace already exists preconditions: any: From cf035e2a9d50dcc19ef43956d6212027f5630953 Mon Sep 17 00:00:00 2001 From: Matt Bator Date: Wed, 15 May 2024 10:53:01 -0700 Subject: [PATCH 41/42] Update Kasten validate ns by preset label ClusterPolicy (#1001) * Update validate-ns-by-preset-label ClusterPolicy naming Signed-off-by: Matt Bator * Update chainsaw test naming Signed-off-by: Matt Bator --------- Signed-off-by: Matt Bator Co-authored-by: Jim Bugwadia --- .../artifacthub-pkg.yml | 22 -------------- .../chainsaw-step-01-assert-1.yaml | 2 +- .../chainsaw-step-01-assert-2.yaml | 0 .../.chainsaw-test/chainsaw-test.yaml | 6 ++-- .../.chainsaw-test/ns-bad.yaml | 0 .../.chainsaw-test/ns-good.yaml | 0 .../.kyverno-test/kyverno-test.yaml | 12 ++++---- .../.kyverno-test/test-resource.yaml | 0 .../artifacthub-pkg.yml | 30 +++++++++++++++++++ .../kasten-validate-ns-by-preset-label.yaml} | 23 +++++++------- 10 files changed, 51 insertions(+), 44 deletions(-) delete mode 100644 kasten/k10-validate-ns-by-preset-label/artifacthub-pkg.yml rename kasten/{k10-validate-ns-by-preset-label => kasten-validate-ns-by-preset-label}/.chainsaw-test/chainsaw-step-01-assert-1.yaml (64%) rename kasten/{k10-validate-ns-by-preset-label => kasten-validate-ns-by-preset-label}/.chainsaw-test/chainsaw-step-01-assert-2.yaml (100%) rename kasten/{k10-validate-ns-by-preset-label => kasten-validate-ns-by-preset-label}/.chainsaw-test/chainsaw-test.yaml (82%) rename kasten/{k10-validate-ns-by-preset-label => kasten-validate-ns-by-preset-label}/.chainsaw-test/ns-bad.yaml (100%) rename kasten/{k10-validate-ns-by-preset-label => kasten-validate-ns-by-preset-label}/.chainsaw-test/ns-good.yaml (100%) rename kasten/{k10-validate-ns-by-preset-label => kasten-validate-ns-by-preset-label}/.kyverno-test/kyverno-test.yaml (52%) rename kasten/{k10-validate-ns-by-preset-label => kasten-validate-ns-by-preset-label}/.kyverno-test/test-resource.yaml (100%) create mode 100644 kasten/kasten-validate-ns-by-preset-label/artifacthub-pkg.yml rename kasten/{k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml => kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml} (58%) diff --git a/kasten/k10-validate-ns-by-preset-label/artifacthub-pkg.yml b/kasten/k10-validate-ns-by-preset-label/artifacthub-pkg.yml deleted file mode 100644 index 974e820f5..000000000 --- a/kasten/k10-validate-ns-by-preset-label/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: k10-validate-ns-by-preset-label -version: 1.0.0 -displayName: Validate Data Protection by Preset Label -createdAt: "2023-04-10T20:12:53.000Z" -description: >- - Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). This policy ensures all new namespaces include a label referencing a valid K10 SLA (Policy Preset) for data protection. This policy can be used in combination with generate ClusterPolicy to automatically create a K10 policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml - ``` -keywords: - - kyverno - - Kasten K10 by Veeam -readme: | - Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). This policy ensures all new namespaces include a label referencing a valid K10 SLA (Policy Preset) for data protection. This policy can be used in combination with generate ClusterPolicy to automatically create a K10 policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Kasten K10 by Veeam" - kyverno/kubernetesVersion: "1.23" - kyverno/subject: "Namespace" -digest: 0c7cc8aa1bf25584958af7ff3fedfa8cae398b7cde007ea73cf0a7653447e454 diff --git a/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml similarity index 64% rename from kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 27e86f51b..d65a30c42 100755 --- a/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -1,6 +1,6 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: k10-validate-ns-by-preset-label + name: kasten-validate-ns-by-preset-label status: ready: true diff --git a/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml similarity index 100% rename from kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml diff --git a/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml similarity index 82% rename from kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml rename to kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml index 3427db172..2392f6c10 100755 --- a/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml +++ b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml @@ -3,19 +3,19 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null - name: k10-validate-ns-by-preset-label + name: kasten-validate-ns-by-preset-label spec: steps: - name: step-01 try: - apply: - file: ../k10-validate-ns-by-preset-label.yaml + file: ../kasten-validate-ns-by-preset-label.yaml - patch: resource: apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: k10-validate-ns-by-preset-label + name: kasten-validate-ns-by-preset-label spec: validationFailureAction: Enforce - assert: diff --git a/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml similarity index 100% rename from kasten/k10-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml rename to kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml diff --git a/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml similarity index 100% rename from kasten/k10-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml rename to kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml diff --git a/kasten/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml b/kasten/kasten-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml similarity index 52% rename from kasten/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml rename to kasten/kasten-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml index 440c95426..e86059a13 100644 --- a/kasten/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml +++ b/kasten/kasten-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml @@ -1,24 +1,24 @@ apiVersion: cli.kyverno.io/v1alpha1 kind: Test metadata: - name: k10-validate-ns-by-preset-label-test + name: kasten-validate-ns-by-preset-label-test policies: -- ../k10-validate-ns-by-preset-label.yaml +- ../kasten-validate-ns-by-preset-label.yaml resources: - test-resource.yaml results: - kind: Namespace - policy: k10-validate-ns-by-preset-label + policy: kasten-validate-ns-by-preset-label resources: - namespace-invalid result: fail - rule: k10-validate-ns-by-preset-label + rule: kasten-validate-ns-by-preset-label - kind: Namespace - policy: k10-validate-ns-by-preset-label + policy: kasten-validate-ns-by-preset-label resources: - namespace-gold - namespace-silver - namespace-bronze - namespace-none result: pass - rule: k10-validate-ns-by-preset-label + rule: kasten-validate-ns-by-preset-label diff --git a/kasten/k10-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml b/kasten/kasten-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml similarity index 100% rename from kasten/k10-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml rename to kasten/kasten-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml diff --git a/kasten/kasten-validate-ns-by-preset-label/artifacthub-pkg.yml b/kasten/kasten-validate-ns-by-preset-label/artifacthub-pkg.yml new file mode 100644 index 000000000..c94a9ede3 --- /dev/null +++ b/kasten/kasten-validate-ns-by-preset-label/artifacthub-pkg.yml @@ -0,0 +1,30 @@ +name: kasten-validate-ns-by-preset-label +version: 1.0.1 +displayName: Validate Data Protection with Kasten Preset Label +createdAt: "2023-05-07T00:00:00.000Z" +description: >- + Kubernetes applications are typically deployed into a single, logical namespace. + Veeam Kasten policies will discover and protect all resources within the selected namespace(s). + This policy ensures all new namespaces include a label referencing a valid Kasten SLA + (Policy Preset) for data protection.This policy can be used in combination with /Users/the `kasten-generate-policy-by-preset-label` ClusterPolicy to automatically create a Kasten policy based on the specified SLA. + The combination ensures that new applications are not inadvertently left unprotected. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml + ``` +keywords: + - kyverno + - Veeam Kasten +readme: | + Kubernetes applications are typically deployed into a single, logical namespace. + Veeam Kasten policies will discover and protect all resources within the selected namespace(s). + This policy ensures all new namespaces include a label referencing a valid Kasten SLA + (Policy Preset) for data protection.This policy can be used in combination with /Users/the `kasten-generate-policy-by-preset-label` ClusterPolicy to automatically create a Kasten policy based on the specified SLA. + The combination ensures that new applications are not inadvertently left unprotected. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Veeam Kasten" + kyverno/kubernetesVersion: "1.25-1.30" + kyverno/subject: "Namespace" +digest: 3252bfa88a6975af4159acf098d5004e786889509c0fc17f25bad97b8f24e78e diff --git a/kasten/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml b/kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml similarity index 58% rename from kasten/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml rename to kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml index 5cb0e82b1..c26da7c05 100644 --- a/kasten/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml +++ b/kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml @@ -1,26 +1,25 @@ -#NOTE: This example assumes that K10 policy presets named "gold", "silver", and "bronze" have been pre-created and K10 was deployed into the `kasten-io` namespace. +#NOTE: This example assumes that Kasten policy presets named "gold", "silver", and "bronze" have been pre-created and Kasten was deployed into the `kasten-io` namespace. apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: k10-validate-ns-by-preset-label + name: kasten-validate-ns-by-preset-label annotations: - policies.kyverno.io/title: Validate Data Protection by Preset Label - policies.kyverno.io/category: Kasten K10 by Veeam + policies.kyverno.io/title: Validate Data Protection with Kasten Preset Label + policies.kyverno.io/category: Veeam Kasten policies.kyverno.io/subject: Namespace - kyverno.io/kyverno-version: 1.9.0 + kyverno.io/kyverno-version: 1.12.1 policies.kyverno.io/minversion: 1.9.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kubernetes-version: "1.24-1.30" policies.kyverno.io/description: >- Kubernetes applications are typically deployed into a single, logical namespace. - Kasten K10 policies will discover and protect all resources within the selected namespace(s). - This policy ensures all new namespaces include a label referencing a valid K10 SLA - (Policy Preset) for data protection.This policy can be used in combination with generate - ClusterPolicy to automatically create a K10 policy based on the specified SLA. + Veeam Kasten policies will discover and protect all resources within the selected namespace(s). + This policy ensures all new namespaces include a label referencing a valid Kasten SLA + (Policy Preset) for data protection.This policy can be used in combination with /Users/the `kasten-generate-policy-by-preset-label` ClusterPolicy to automatically create a Kasten policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. spec: validationFailureAction: Audit rules: - - name: k10-validate-ns-by-preset-label + - name: kasten-validate-ns-by-preset-label match: any: - resources: @@ -28,7 +27,7 @@ spec: - Namespace validate: message: >- - Namespaces must specify a "dataprotection" label with a value corresponding to a Kasten K10 SLA: + Namespaces must specify a "dataprotection" label with a value corresponding to a Kasten Policy Preset: "gold" - "silver" - From 7e55ff1c42a12f71711878547368d3e8b536bf85 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 16 May 2024 19:50:05 +0530 Subject: [PATCH 42/42] feat: add other policies in CEL expressions - Part 2 (#960) * copy enforce-pod-duration Signed-off-by: Chandan-DK * convert enforce-pod-duration to cel Signed-off-by: Chandan-DK * add CI test for directories starting with e to l in other-cel folder Signed-off-by: Chandan-DK * copy enforce-readwriteonce-pod Signed-off-by: Chandan-DK * convert enforce-readwriteonce-pod to cel Signed-off-by: Chandan-DK * copy ensure-probes-different Signed-off-by: Chandan-DK * convert ensure-probes-different to cel Signed-off-by: Chandan-DK * copy forbid-cpu-limits Signed-off-by: Chandan-DK * convert forbid-cpu-limits to cel Signed-off-by: Chandan-DK * copy limit-containers-per-pod Signed-off-by: Chandan-DK * convert limit-containers-per-pod to cel Signed-off-by: Chandan-DK * copy pdb-maxunavailable Signed-off-by: Chandan-DK * convert pdb-maxunavailable to cel Signed-off-by: Chandan-DK * keep pdb-maxunavailable in a separate PR Signed-off-by: Chandan-DK * copy imagepullpolicy-always Signed-off-by: Chandan-DK * convert imagepullpolicy-always to cel Signed-off-by: Chandan-DK * copy limit-hostpath-type-pv Signed-off-by: Chandan-DK * convert limit-hostpath-type-pv to cel Signed-off-by: Chandan-DK * copy ensure-readonly-hostpath Signed-off-by: Chandan-DK * convert ensure-readonly-hostpath to cel Signed-off-by: Chandan-DK * copy ingress-host-match-tls Signed-off-by: Chandan-DK * convert ingress-host-match-tls to cel Signed-off-by: Chandan-DK * rename files for clarity Signed-off-by: Chandan-DK * add new lines at the end of files Signed-off-by: Chandan-DK * update artifacthub-pkg.yml for enforce-readwriteonce-pod Co-authored-by: Mariam Fahmy Signed-off-by: Chandan-DK --------- Signed-off-by: Chandan-DK Co-authored-by: Mariam Fahmy Co-authored-by: Mariam Fahmy --- .github/workflows/test.yml | 7 +- .../.chainsaw-test/chainsaw-test.yaml | 39 ++++ .../.chainsaw-test/podcontrollers-bad.yaml | 43 ++++ .../.chainsaw-test/podcontrollers-good.yaml | 82 +++++++ .../.chainsaw-test/pods-bad.yaml | 24 +++ .../.chainsaw-test/pods-good.yaml | 44 ++++ .../.chainsaw-test/policy-ready.yaml | 7 + .../.kyverno-test/kyverno-test.yaml | 22 ++ .../.kyverno-test/resources.yaml | 24 +++ .../enforce-pod-duration/artifacthub-pkg.yml | 24 +++ .../enforce-pod-duration.yaml | 35 +++ .../.kyverno-test/kyverno-test.yaml | 22 ++ .../.kyverno-test/resource.yaml | 22 ++ .../artifacthub-pkg.yml | 34 +++ .../enforce-readwriteonce-pod.yaml | 33 +++ .../.chainsaw-test/chainsaw-test.yaml | 38 ++++ .../.chainsaw-test/ns.yaml | 5 + .../.chainsaw-test/podcontrollers-bad.yaml | 116 ++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 114 ++++++++++ .../.chainsaw-test/policy-ready.yaml | 7 + .../.kyverno-test/kyverno-test.yaml | 22 ++ .../.kyverno-test/resource.yaml | 67 ++++++ .../artifacthub-pkg.yml | 24 +++ .../ensure-probes-different.yaml | 38 ++++ .../.chainsaw-test/bad-pod-02.yaml | 17 ++ .../.chainsaw-test/bad-pod-03.yaml | 22 ++ .../.chainsaw-test/bad-pod-04.yaml | 23 ++ .../.chainsaw-test/bad-pod-05.yaml | 28 +++ .../.chainsaw-test/bad-pods-all.yaml | 40 ++++ .../.chainsaw-test/chainsaw-test.yaml | 66 ++++++ .../.chainsaw-test/good-pods-all.yaml | 37 ++++ .../.chainsaw-test/podcontrollers-bad.yaml | 75 +++++++ .../.chainsaw-test/podcontrollers-good.yaml | 75 +++++++ .../.chainsaw-test/pods-bad.yaml | 27 +++ .../.chainsaw-test/pods-good.yaml | 27 +++ .../.chainsaw-test/policy-ready.yaml | 7 + .../.kyverno-test/bad-pod-01.yaml | 16 ++ .../.kyverno-test/good-pod-01.yaml | 17 ++ .../.kyverno-test/kyverno-test.yaml | 23 ++ .../artifacthub-pkg.yml | 24 +++ .../ensure-readonly-hostpath.yaml | 43 ++++ .../.chainsaw-test/chainsaw-test.yaml | 39 ++++ .../.chainsaw-test/podcontrollers-bad.yaml | 100 +++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 84 ++++++++ .../.chainsaw-test/pods-bad.yaml | 29 +++ .../.chainsaw-test/pods-good.yaml | 21 ++ .../.chainsaw-test/policy-ready.yaml | 7 + .../.kyverno-test/kyverno-test.yaml | 24 +++ .../.kyverno-test/resource.yaml | 50 +++++ .../forbid-cpu-limits/artifacthub-pkg.yml | 24 +++ .../forbid-cpu-limits/forbid-cpu-limits.yaml | 32 +++ .../.chainsaw-test/chainsaw-test.yaml | 39 ++++ .../.chainsaw-test/pod-bad.yaml | 45 ++++ .../.chainsaw-test/pod-good.yaml | 62 ++++++ .../.chainsaw-test/podcontroller-bad.yaml | 48 +++++ .../.chainsaw-test/podcontroller-good.yaml | 44 ++++ .../.chainsaw-test/policy-ready.yaml | 7 + .../.kyverno-test/kyverno-test.yaml | 34 +++ .../.kyverno-test/resource.yaml | 68 ++++++ .../artifacthub-pkg.yml | 24 +++ .../imagepullpolicy-always.yaml | 36 ++++ .../.chainsaw-test/chainsaw-test.yaml | 32 +++ .../.chainsaw-test/ingress-bad.yaml | 83 +++++++ .../.chainsaw-test/ingress-good.yaml | 202 ++++++++++++++++++ .../.chainsaw-test/policy-ready.yaml | 7 + .../.kyverno-test/kyverno-test.yaml | 26 +++ .../.kyverno-test/resource.yaml | 170 +++++++++++++++ .../artifacthub-pkg.yml | 24 +++ .../ingress-host-match-tls.yaml | 40 ++++ .../.chainsaw-test/chainsaw-test.yaml | 39 ++++ .../.chainsaw-test/pod-bad.yaml | 17 ++ .../.chainsaw-test/pod-good.yaml | 26 +++ .../.chainsaw-test/podcontroller-bad.yaml | 52 +++++ .../.chainsaw-test/podcontroller-good.yaml | 48 +++++ .../.chainsaw-test/policy-ready.yaml | 7 + .../.kyverno-test/kyverno-test.yaml | 34 +++ .../.kyverno-test/resource.yaml | 76 +++++++ .../artifacthub-pkg.yml | 24 +++ .../limit-containers-per-pod.yaml | 32 +++ .../.chainsaw-test/chainsaw-test.yaml | 32 +++ .../.chainsaw-test/policy-ready.yaml | 7 + .../.chainsaw-test/pv-bad.yaml | 32 +++ .../.chainsaw-test/pv-good.yaml | 32 +++ .../.kyverno-test/kyverno-test.yaml | 22 ++ .../.kyverno-test/resource.yaml | 32 +++ .../artifacthub-pkg.yml | 24 +++ .../limit-hostpath-type-pv.yaml | 32 +++ 87 files changed, 3426 insertions(+), 3 deletions(-) create mode 100755 other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml create mode 100755 other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/enforce-pod-duration/.kyverno-test/resources.yaml create mode 100644 other-cel/enforce-pod-duration/artifacthub-pkg.yml create mode 100644 other-cel/enforce-pod-duration/enforce-pod-duration.yaml create mode 100644 other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml create mode 100644 other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml create mode 100644 other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml create mode 100755 other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/ensure-probes-different/.chainsaw-test/ns.yaml create mode 100644 other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml create mode 100755 other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/ensure-probes-different/.kyverno-test/resource.yaml create mode 100644 other-cel/ensure-probes-different/artifacthub-pkg.yml create mode 100644 other-cel/ensure-probes-different/ensure-probes-different.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml create mode 100755 other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml create mode 100755 other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml create mode 100644 other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml create mode 100644 other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml create mode 100755 other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml create mode 100755 other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml create mode 100644 other-cel/forbid-cpu-limits/artifacthub-pkg.yml create mode 100644 other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml create mode 100755 other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml create mode 100755 other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml create mode 100644 other-cel/imagepullpolicy-always/artifacthub-pkg.yml create mode 100644 other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml create mode 100755 other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml create mode 100644 other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml create mode 100755 other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml create mode 100644 other-cel/ingress-host-match-tls/artifacthub-pkg.yml create mode 100644 other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml create mode 100755 other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml create mode 100755 other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml create mode 100644 other-cel/limit-containers-per-pod/artifacthub-pkg.yml create mode 100644 other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml create mode 100755 other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml create mode 100755 other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml create mode 100644 other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml create mode 100644 other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml create mode 100644 other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml create mode 100644 other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d07a3f019..0e806fa5d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -47,15 +47,16 @@ jobs: - ^nginx-ingress$ - ^openshift$ - ^other$/^a + - ^other-cel$/^a - ^other$/^[b-d] + - ^other-cel$/^[b-d] - ^other$/^[e-l] + - ^other-cel$/^[e-l] - ^other$/^[m-q] + - ^other-cel$/^[m-q] - ^other$/^re[c-q] - ^other$/^res - ^other$/^[s-z] - - ^other-cel$/^a - - ^other-cel$/^[b-d] - - ^other-cel$/^[m-q] - ^pod-security$ - ^pod-security-cel$ - ^psa$ diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..18c018e87 --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,39 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-pod-duration +spec: + steps: + - name: step-01 + try: + - apply: + file: ../enforce-pod-duration.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: pod-lifetime + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml + diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..7668856fd --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + annotations: + pod.kubernetes.io/lifetime: "8h5m" + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + pod.kubernetes.io/lifetime: "8h5m" + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + restartPolicy: OnFailure + diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..8cf26dc07 --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,82 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + annotations: + pod.kubernetes.io/lifetime: "8h" + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + pod.kubernetes.io/lifetime: "5m" + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + restartPolicy: OnFailure + diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..bca56ed61 --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + pod.kubernetes.io/lifetime: "8h1m" + name: badpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + pod.kubernetes.io/lifetime: "24h" + foo: bar + name: badpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox + diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..8e5741b96 --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + name: goodpod02 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + foo: bar + pod.kubernetes.io/lifetime: "5m" + name: goodpod03 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + pod.kubernetes.io/lifetime: "8h" + foo: bar + name: goodpod04 +spec: + containers: + - image: busybox:1.35 + name: busybox + diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..2530f09c7 --- /dev/null +++ b/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pod-lifetime +status: + ready: true + diff --git a/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml b/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..da3c01fd4 --- /dev/null +++ b/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,22 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-lifetime +policies: +- ../enforce-pod-duration.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: pod-lifetime + resources: + - test-lifetime-fail + result: fail + rule: pods-lifetime +- kind: Pod + policy: pod-lifetime + resources: + - test-lifetime-pass + result: pass + rule: pods-lifetime + diff --git a/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml b/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml new file mode 100644 index 000000000..b40ef2969 --- /dev/null +++ b/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-lifetime-pass + namespace: test + annotations: + pod.kubernetes.io/lifetime: 4h +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-lifetime-fail + namespace: test + annotations: + pod.kubernetes.io/lifetime: 24h +spec: + containers: + - name: nginx + image: nginx:1.12 + diff --git a/other-cel/enforce-pod-duration/artifacthub-pkg.yml b/other-cel/enforce-pod-duration/artifacthub-pkg.yml new file mode 100644 index 000000000..c2c68faf6 --- /dev/null +++ b/other-cel/enforce-pod-duration/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: enforce-pod-duration-cel +version: 1.0.0 +displayName: Enforce pod duration in CEL expressions +description: >- + This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/enforce-pod-duration/enforce-pod-duration.yaml + ``` +keywords: + - kyverno + - Sample + - CEL Expressions +readme: | + This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: b2f1fec7c8b199024c813b1ddb3d52f27f889d082c0c94f4824c499cd6b278bb +createdAt: "2024-03-30T18:18:11Z" + diff --git a/other-cel/enforce-pod-duration/enforce-pod-duration.yaml b/other-cel/enforce-pod-duration/enforce-pod-duration.yaml new file mode 100644 index 000000000..48ccc0fb7 --- /dev/null +++ b/other-cel/enforce-pod-duration/enforce-pod-duration.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pod-lifetime + annotations: + policies.kyverno.io/title: Enforce pod duration in CEL expressions + policies.kyverno.io/category: Sample in CEL + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + This validation is valuable when annotations are used to define durations, + such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. + Pod lifetime annotation can be no greater than 8 hours. +spec: + validationFailureAction: Audit + background: true + rules: + - name: pods-lifetime + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + variables: + - name: hasLifetimeAnnotation + expression: "has(object.metadata.annotations) && 'pod.kubernetes.io/lifetime' in object.metadata.annotations" + - name: lifetimeAnnotationValue + expression: "variables.hasLifetimeAnnotation ? object.metadata.annotations['pod.kubernetes.io/lifetime'] : '0s'" + expressions: + - expression: "!(duration(variables.lifetimeAnnotationValue) > duration('8h'))" + message: "Pod lifetime exceeds limit of 8h" + diff --git a/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml b/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..31c6b838a --- /dev/null +++ b/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,22 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-readwriteonce-pod +policies: +- ../enforce-readwriteonce-pod.yaml +resources: +- resource.yaml +results: +- kind: PersistentVolumeClaim + policy: readwriteonce-pod + resources: + - badpvc + result: fail + rule: readwrite-pvc-single-pod +- kind: PersistentVolumeClaim + policy: readwriteonce-pod + resources: + - goodpvc + result: pass + rule: readwrite-pvc-single-pod + diff --git a/other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml b/other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml new file mode 100644 index 000000000..df1206b98 --- /dev/null +++ b/other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: badpvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: goodpvc +spec: + accessModes: + - ReadWriteOncePod + resources: + requests: + storage: 1Gi + diff --git a/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml b/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml new file mode 100644 index 000000000..520a5ac06 --- /dev/null +++ b/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml @@ -0,0 +1,34 @@ +name: enforce-readwriteonce-pod-cel +version: 1.0.0 +displayName: Enforce readwriteoncepod in CEL expressions +description: >- + Some stateful workloads with multiple replicas only allow a single Pod to write + to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default + in 1.27, a new setting called ReadWriteOncePod, available + for CSI volumes only, allows volumes to be writable from only a single Pod. For more + information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. + This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml + ``` +keywords: + - kyverno + - Sample + - CEL Expressions +readme: | + Some stateful workloads with multiple replicas only allow a single Pod to write + to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default + in 1.27, a new setting called ReadWriteOncePod, available + for CSI volumes only, allows volumes to be writable from only a single Pod. For more + information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. + This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "PersistentVolumeClaims" +digest: de7662c3394731c2de9205ebdda2da9da69e8022b616ca6e4ea9dbfd8ad2b2a8 +createdAt: "2024-03-31T10:53:27Z" + diff --git a/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml b/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml new file mode 100644 index 000000000..5c5720e4d --- /dev/null +++ b/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: readwriteonce-pod + annotations: + policies.kyverno.io/title: Enforce ReadWriteOncePod in CEL expressions + policies.kyverno.io/category: Sample in CEL + policies.kyverno.io/subject: PersistentVolumeClaim + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.27-1.28" + policies.kyverno.io/description: >- + Some stateful workloads with multiple replicas only allow a single Pod to write + to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default + in 1.27, a new setting called ReadWriteOncePod, available + for CSI volumes only, allows volumes to be writable from only a single Pod. For more + information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. + This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod. +spec: + validationFailureAction: Audit + background: true + rules: + - name: readwrite-pvc-single-pod + match: + any: + - resources: + kinds: + - PersistentVolumeClaim + validate: + cel: + expressions: + - expression: "'ReadWriteOncePod' in object.spec.accessModes" + message: "The accessMode must be set to ReadWriteOncePod." + diff --git a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..119c554b3 --- /dev/null +++ b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: ensure-probes-different +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - apply: + file: ../ensure-probes-different.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: validate-probes + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml + - name: step-99 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n ensure-probes-different-ns + diff --git a/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml b/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..055f17f7e --- /dev/null +++ b/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ensure-probes-different-ns + diff --git a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..4042ab8a8 --- /dev/null +++ b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,116 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 + namespace: ensure-probes-different-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 + - image: busybox:1.35 + name: busybox02 + command: ["sleep","300"] + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + readinessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: badds01 + namespace: ensure-probes-different-ns +spec: + selector: + matchLabels: + name: busybox + template: + metadata: + labels: + name: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep","300"] + livenessProbe: + tcpSocket: + port: 8080 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 + periodSeconds: 10 + - image: busybox:1.35 + name: busybox02 + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: badss01 + namespace: ensure-probes-different-ns +spec: + selector: + matchLabels: + app: busybox + serviceName: "busybox" + replicas: 1 + template: + metadata: + labels: + app: busybox + spec: + terminationGracePeriodSeconds: 5 + containers: + - image: busybox:1.35 + name: busybox02 + command: ["sleep","300"] + livenessProbe: + httpGet: + path: /healthz + port: 8080 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + port: 8080 + periodSeconds: 10 + diff --git a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..b82e3c264 --- /dev/null +++ b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 + namespace: ensure-probes-different-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep","300"] + readinessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + - image: busybox:1.35 + name: busybox02 + command: ["sleep","300"] + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 + periodSeconds: 10 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: goodds01 + namespace: ensure-probes-different-ns +spec: + selector: + matchLabels: + name: busybox + template: + metadata: + labels: + name: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep","300"] + readinessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + - image: busybox:1.35 + name: busybox02 + command: ["sleep","300"] + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: goodss01 + namespace: ensure-probes-different-ns +spec: + selector: + matchLabels: + app: busybox + serviceName: "busybox" + replicas: 1 + template: + metadata: + labels: + app: busybox + spec: + terminationGracePeriodSeconds: 5 + containers: + - image: busybox:1.35 + name: busybox + livenessProbe: + tcpSocket: + port: 8080 + periodSeconds: 10 + - image: busybox:1.35 + name: busybox02 + command: ["sleep","300"] + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8080 + periodSeconds: 10 + diff --git a/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml b/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..1a741c0b9 --- /dev/null +++ b/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-probes +status: + ready: true + diff --git a/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml b/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..6812ebacc --- /dev/null +++ b/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,22 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: validate-probes +policies: +- ../ensure-probes-different.yaml +resources: +- resource.yaml +results: +- kind: Deployment + policy: validate-probes + resources: + - mydeploy-2 + result: fail + rule: validate-probes +- kind: Deployment + policy: validate-probes + resources: + - mydeploy-1 + result: pass + rule: validate-probes + diff --git a/other-cel/ensure-probes-different/.kyverno-test/resource.yaml b/other-cel/ensure-probes-different/.kyverno-test/resource.yaml new file mode 100644 index 000000000..6f524a756 --- /dev/null +++ b/other-cel/ensure-probes-different/.kyverno-test/resource.yaml @@ -0,0 +1,67 @@ +# "Liveness and readiness probes are not same." +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + name: mydeploy-1 +spec: + replicas: 1 + selector: + matchLabels: + app: goproxy + template: + metadata: + name: goproxy + labels: + app: goproxy + spec: + containers: + - name: goproxy + image: registry.k8s.io/goproxy:0.1 + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + +--- +# "Liveness and readiness probes are same." +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + name: mydeploy-2 +spec: + replicas: 1 + selector: + matchLabels: + app: goproxy + template: + metadata: + name: goproxy + labels: + app: goproxy + spec: + containers: + - name: goproxy + image: registry.k8s.io/goproxy:0.1 + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + diff --git a/other-cel/ensure-probes-different/artifacthub-pkg.yml b/other-cel/ensure-probes-different/artifacthub-pkg.yml new file mode 100644 index 000000000..f90d1059f --- /dev/null +++ b/other-cel/ensure-probes-different/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: ensure-probes-different-cel +version: 1.0.0 +displayName: Validate Probes in CEL expressions +description: >- + Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/ensure-probes-different/ensure-probes-different.yaml + ``` +keywords: + - kyverno + - Sample + - CEL Expressions +readme: | + Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: cbafa29e49ec48f7378157f69fa77a53c07fb40dc4c542738a8f31331689f5be +createdAt: "2024-03-31T11:12:02Z" + diff --git a/other-cel/ensure-probes-different/ensure-probes-different.yaml b/other-cel/ensure-probes-different/ensure-probes-different.yaml new file mode 100644 index 000000000..241ac246d --- /dev/null +++ b/other-cel/ensure-probes-different/ensure-probes-different.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-probes + annotations: + pod-policies.kyverno.io/autogen-controllers: none + policies.kyverno.io/title: Validate Probes in CEL expressions + policies.kyverno.io/category: Sample in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Liveness and readiness probes accomplish different goals, and setting both to the same + is an anti-pattern and often results in app problems in the future. This policy + checks that liveness and readiness probes are not equal. Keep in mind that if both the + probes are not set, they are considered to be equal and hence fails the check. +spec: + validationFailureAction: Audit + background: false + rules: + - name: validate-probes + match: + any: + - resources: + kinds: + - Deployment + - DaemonSet + - StatefulSet + validate: + cel: + expressions: + - expression: >- + !object.spec.template.spec.containers.exists(container, + has(container.readinessProbe) && has(container.livenessProbe) && + container.readinessProbe == container.livenessProbe) + message: "Liveness and readiness probes cannot be the same." + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml new file mode 100644 index 000000000..be990147d --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-02 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: false + volumes: + - name: foo + hostPath: + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml new file mode 100644 index 000000000..351cf44bc --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-03 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /etc + name: bar + volumes: + - name: foo + hostPath: + path: /var/log + - name: bar + hostPath: + path: /etc + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml new file mode 100644 index 000000000..4b0703656 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-04 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /etc + name: bar + readOnly: false + volumes: + - name: foo + hostPath: + path: /var/log + - name: bar + hostPath: + path: /etc + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml new file mode 100644 index 000000000..9f803e8ec --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-05 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /etc + name: bar + - name: test-webserver02 + image: sjbonmqopcta:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + - name: bar + hostPath: + path: /etc + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml new file mode 100644 index 000000000..8783a36ea --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pods-all +spec: + ephemeralContainers: + - name: ephemtest-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: false + initContainers: + - name: inittest-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: bar + readOnly: true + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - name: test-webserver02 + image: sjbonmqopcta:latest + volumeMounts: + - mountPath: /some/dir + name: bar + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + - name: bar + hostPath: + path: /etc + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..d6e330389 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,66 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: ensure-readonly-hostpath +spec: + steps: + - name: step-01 + try: + - apply: + file: ../ensure-readonly-hostpath.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: ensure-readonly-hostpath + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + file: ../.kyverno-test/good-pod-01.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../.kyverno-test/bad-pod-01.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-02.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-03.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-04.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-05.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml new file mode 100644 index 000000000..ebc36fa0b --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pods-all +spec: + ephemeralContainers: + - name: ephemtest-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + initContainers: + - name: inittest-webserver + image: fjtyonaq:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - name: test-webserver02 + image: sjbonmqopcta:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..3ecab0318 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: false + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: false + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + restartPolicy: OnFailure + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..d7d6eaac7 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: true + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: true + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + restartPolicy: OnFailure + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..b11e3fc29 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: false + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..15a373855 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + initContainers: + - name: busybox-init + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + - mountPath: /some/another/dir + name: foo + readOnly: true + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..b9b225ce6 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ensure-readonly-hostpath +status: + ready: true + diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml new file mode 100644 index 000000000..51839206c --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-01 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + volumes: + - name: foo + hostPath: + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml new file mode 100644 index 000000000..9c6331dcf --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-01 +spec: + containers: + - name: test-webserver + image: asdfeasdfasada:latest + volumeMounts: + - mountPath: /some/dir + name: foo + readOnly: true + volumes: + - name: foo + hostPath: + path: /var/log + diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..e37b5e0c3 --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ensure-readonly-hostpath +policies: +- ../ensure-readonly-hostpath.yaml +resources: +- good-pod-01.yaml +- bad-pod-01.yaml +results: +- kind: Pod + policy: ensure-readonly-hostpath + resources: + - bad-pod-01 + result: fail + rule: ensure-hostpaths-readonly +- kind: Pod + policy: ensure-readonly-hostpath + resources: + - good-pod-01 + result: pass + rule: ensure-hostpaths-readonly + diff --git a/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml new file mode 100644 index 000000000..1c09131ab --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: ensure-readonly-hostpath-cel +version: 1.0.0 +displayName: Ensure Read Only hostPath in CEL expressions +description: >- + Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines (see https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only mode. This policy checks all containers for any hostPath volumes and ensures they are explicitly mounted in readOnly mode. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml + ``` +keywords: + - kyverno + - Other + - CEL Expressions +readme: | + Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines (see https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only mode. This policy checks all containers for any hostPath volumes and ensures they are explicitly mounted in readOnly mode. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 5335b84399ed1bb06e70489940d2555cff0c97f7f937aac0fbdf8ee0a188ace1 +createdAt: "2024-04-05T17:39:16Z" + diff --git a/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml b/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml new file mode 100644 index 000000000..ea97b78be --- /dev/null +++ b/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml @@ -0,0 +1,43 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ensure-readonly-hostpath + annotations: + policies.kyverno.io/title: Ensure Read Only hostPath in CEL expressions + policies.kyverno.io/category: Other in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk + even if confined to a "safe" file system on the host and may escape those confines (see + https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way + to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only + mode. This policy checks all containers for any hostPath volumes and ensures they are + explicitly mounted in readOnly mode. +spec: + background: false + validationFailureAction: Audit + rules: + - name: ensure-hostpaths-readonly + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + variables: + - name: allContainers + expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" + - name: hostPathVolumes + expression: "has(object.spec.volumes) ? object.spec.volumes.filter(volume, has(volume.hostPath)) : []" + expressions: + - expression: >- + variables.hostPathVolumes.all(hostPath, variables.allContainers.all(container, + !has(container.volumeMounts) || + container.volumeMounts.all(volume, (hostPath.name != volume.name) || has(volume.readOnly) && volume.readOnly == true))) + message: All hostPath volumes must be mounted as readOnly. + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..5025169a3 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,39 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: forbid-cpu-limits +spec: + steps: + - name: step-01 + try: + - apply: + file: ../forbid-cpu-limits.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: forbid-cpu-limits + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..30cd26d52 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,100 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + resources: + limits: + cpu: 10m +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m + - name: webserver2 + image: busybox:1.35 + resources: + limits: + cpu: 10m +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + resources: + limits: + cpu: 10m + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m + - name: webserver2 + image: busybox:1.35 + resources: + limits: + cpu: 10m + restartPolicy: OnFailure + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..03c668ef2 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,84 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + resources: + requests: + cpu: 10m +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox + resources: + requests: + cpu: 10m + restartPolicy: OnFailure + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..f24adfe86 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad01 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + limits: + cpu: 10m +--- +apiVersion: v1 +kind: Pod +metadata: + name: bad02 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m + - name: webserver2 + image: busybox:1.35 + resources: + limits: + cpu: 10m + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..97629fef4 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good01 +spec: + containers: + - name: webserver1 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: good02 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m + diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..2babcc6e6 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: forbid-cpu-limits +status: + ready: true + diff --git a/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml b/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..7e3a2c5ef --- /dev/null +++ b/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,24 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: forbid-cpu-limits +policies: +- ../forbid-cpu-limits.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: forbid-cpu-limits + resources: + - bad01 + - bad02 + result: fail + rule: check-cpu-limits +- kind: Pod + policy: forbid-cpu-limits + resources: + - good01 + - good02 + result: pass + rule: check-cpu-limits + diff --git a/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml b/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml new file mode 100644 index 000000000..f29885f30 --- /dev/null +++ b/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad01 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + limits: + cpu: 10m +--- +apiVersion: v1 +kind: Pod +metadata: + name: bad02 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m + - name: webserver2 + image: busybox:1.35 + resources: + limits: + cpu: 10m +--- +apiVersion: v1 +kind: Pod +metadata: + name: good01 +spec: + containers: + - name: webserver1 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: good02 +spec: + containers: + - name: webserver1 + image: busybox:1.35 + resources: + requests: + cpu: 10m + diff --git a/other-cel/forbid-cpu-limits/artifacthub-pkg.yml b/other-cel/forbid-cpu-limits/artifacthub-pkg.yml new file mode 100644 index 000000000..3e86cb948 --- /dev/null +++ b/other-cel/forbid-cpu-limits/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: forbid-cpu-limits-cel +version: 1.0.0 +displayName: Forbid CPU Limits in CEL expressions +description: >- + Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml + ``` +keywords: + - kyverno + - Other + - CEL Expressions +readme: | + Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 2865e5f92968f90e090aff597937ab7db3e3e5939c32cb84c84f881970dedae6 +createdAt: "2024-04-01T15:35:47Z" + diff --git a/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml b/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml new file mode 100644 index 000000000..b94b55756 --- /dev/null +++ b/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: forbid-cpu-limits + annotations: + policies.kyverno.io/title: Forbid CPU Limits in CEL expressions + policies.kyverno.io/category: Other in CEL + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving + applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not + set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. +spec: + background: true + validationFailureAction: Audit + rules: + - name: check-cpu-limits + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + !object.spec.containers.exists(container, + has(container.resources) && has(container.resources.limits) && has(container.resources.limits.cpu)) + message: Containers may not define CPU limits. + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..aadc8a25e --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,39 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: imagepullpolicy-always +spec: + steps: + - name: step-01 + try: + - apply: + file: ../imagepullpolicy-always.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: imagepullpolicy-always + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..6949ea364 --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: pod01 + image: busybox:latest + imagePullPolicy: Never +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: pod01 + image: busybox + imagePullPolicy: IfNotPresent +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: pod01 + image: busybox:latest + imagePullPolicy: Always + - name: pod02 + image: busybox:latest + imagePullPolicy: IfNotPresent +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: pod01 + image: busybox:latest + imagePullPolicy: Never + - name: pod02 + image: busybox:1.35 + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..e95c6524f --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: pod01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: pod01 + image: busybox # by default, imagePullPolicy: Always +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: pod01 + image: busybox:latest # by default, imagePullPolicy: Always +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: pod01 + image: busybox:latest + imagePullPolicy: Always +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: pod01 + image: busybox:latest + imagePullPolicy: Always + - name: pod02 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: pod01 + image: busybox:1.35 + imagePullPolicy: IfNotPresent + - name: pod02 + image: busybox:latest + imagePullPolicy: Always + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..aa3f6ecf1 --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:latest + imagePullPolicy: Never + - name: bb03 + image: busybox + imagePullPolicy: IfNotPresent +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: bb01 + image: busybox:latest + imagePullPolicy: Never + - name: bb02 + image: busybox:1.35 + - name: bb03 + image: busybox + imagePullPolicy: IfNotPresent + restartPolicy: OnFailure + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..2e93055ba --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:latest + - name: bb03 + image: busybox +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:latest + - name: bb03 + image: busybox + restartPolicy: OnFailure + diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..843ff7ef8 --- /dev/null +++ b/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: imagepullpolicy-always +status: + ready: true + diff --git a/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml b/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..c5406a07a --- /dev/null +++ b/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,34 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: imagepullpolicy-always +policies: +- ../imagepullpolicy-always.yaml +resources: +- resource.yaml +results: +- kind: Deployment + policy: imagepullpolicy-always + resources: + - mydeploy1 + result: fail + rule: imagepullpolicy-always +- kind: Pod + policy: imagepullpolicy-always + resources: + - myapp-pod-2 + result: fail + rule: imagepullpolicy-always +- kind: Deployment + policy: imagepullpolicy-always + resources: + - mydeploy2 + result: pass + rule: imagepullpolicy-always +- kind: Pod + policy: imagepullpolicy-always + resources: + - myapp-pod-1 + result: pass + rule: imagepullpolicy-always + diff --git a/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml new file mode 100644 index 000000000..4df92e40f --- /dev/null +++ b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml @@ -0,0 +1,68 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod-1 + labels: + app: myapp-1 +spec: + containers: + - name: nginx + image: nginx:latest + imagePullPolicy: "Always" + +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod-2 + labels: + app: myapp-2 +spec: + containers: + - name: nginx + image: nginx:latest + imagePullPolicy: "IfNotPresent" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy1 +spec: + replicas: 2 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: nginx + image: nginx + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 80 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy2 +spec: + replicas: 2 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: nginx + image: nginx + imagePullPolicy: "Always" + ports: + - containerPort: 80 + diff --git a/other-cel/imagepullpolicy-always/artifacthub-pkg.yml b/other-cel/imagepullpolicy-always/artifacthub-pkg.yml new file mode 100644 index 000000000..53537fb8b --- /dev/null +++ b/other-cel/imagepullpolicy-always/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: imagepullpolicy-always-cel +version: 1.0.0 +displayName: Require imagePullPolicy Always in CEL expressions +description: >- + If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml + ``` +keywords: + - kyverno + - Sample + - CEL Expressions +readme: | + If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: a6708df7cd59fcd4dc4f764ff01541940f39eca5d4ddffd9529d83090e511b47 +createdAt: "2024-04-03T17:41:38Z" + diff --git a/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml b/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml new file mode 100644 index 000000000..951d07495 --- /dev/null +++ b/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: imagepullpolicy-always + annotations: + policies.kyverno.io/title: Require imagePullPolicy Always in CEL expressions + policies.kyverno.io/category: Sample in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + If the `latest` tag is allowed for images, it is a good idea to have the + imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future + pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` + when the `latest` tag is specified explicitly or where a tag is not defined at all. +spec: + validationFailureAction: Audit + background: true + rules: + - name: imagepullpolicy-always + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: >- + object.spec.containers.all(container, + (container.image.endsWith(':latest') || !container.image.contains(':')) ? + container.imagePullPolicy == 'Always' : true) + message: >- + The imagePullPolicy must be set to `Always` when the tag `latest` is used. + diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..ab409abe4 --- /dev/null +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,32 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: ingress-host-match-tls +spec: + steps: + - name: step-01 + try: + - apply: + file: ../ingress-host-match-tls.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: ingress-host-match-tls + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: ingress-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ingress-bad.yaml + diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml new file mode 100644 index 000000000..4ac1a456a --- /dev/null +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml @@ -0,0 +1,83 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: badingress01 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint99 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: badingress02 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + - host: endpoint02 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint03 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: badingress03 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + - host: endpoint02 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint01 + diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml new file mode 100644 index 000000000..c1ef3d3dd --- /dev/null +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml @@ -0,0 +1,202 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress01 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint01 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress02 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint01 + - endpoint02 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress03 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint02 + - endpoint01 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress04 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint01 + - endpoint02 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress05 +spec: + ingressClassName: nginx-int + rules: + - host: foo.bar.com + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint02 + - foo.bar.com +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress06 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint01 + http: + paths: + - path: /foo + pathType: Prefix + backend: + service: + name: bar + port: + number: 80 + - host: "*.foo.com" + http: + paths: + - path: /bar + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint01 + - "*.foo.com" +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress07 +spec: + defaultBackend: + resource: + apiGroup: k8s.example.com + kind: StorageBucket + name: foo-bar + rules: + - http: + paths: + - path: /foo + pathType: ImplementationSpecific + backend: + resource: + apiGroup: k8s.example.com + kind: StorageBucket + name: foo-bar + diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..e9271befe --- /dev/null +++ b/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-host-match-tls +status: + ready: true + diff --git a/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml b/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..0ce9eb5ef --- /dev/null +++ b/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,26 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ingress-host-match-tls +policies: +- ../ingress-host-match-tls.yaml +resources: +- resource.yaml +results: +- kind: Ingress + policy: ingress-host-match-tls + resources: + - badingress01 + - badingress02 + result: fail + rule: host-match-tls +- kind: Ingress + policy: ingress-host-match-tls + resources: + - goodingress01 + - goodingress02 + - goodingress03 + - goodingress04 + result: pass + rule: host-match-tls + diff --git a/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml b/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml new file mode 100644 index 000000000..b83e8bf7f --- /dev/null +++ b/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml @@ -0,0 +1,170 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: badingress01 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint99 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: badingress02 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + - host: endpoint02 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint03 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress01 +spec: + ingressClassName: someingress + rules: + - host: endpoint01 + http: + paths: + - backend: + service: + name: demo-svc + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - endpoint01 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress02 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint01 + - endpoint02 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress03 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint02 + - endpoint01 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: goodingress04 +spec: + ingressClassName: nginx-int + rules: + - host: endpoint02 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + - host: endpoint01 + http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 + tls: + - hosts: + - endpoint01 + - endpoint02 + diff --git a/other-cel/ingress-host-match-tls/artifacthub-pkg.yml b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml new file mode 100644 index 000000000..344cc88d1 --- /dev/null +++ b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: ingress-host-match-tls-cel +version: 1.0.0 +displayName: Ingress Host Match TLS in CEL expressions +description: >- + Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml + ``` +keywords: + - kyverno + - Other + - CEL Expressions +readme: | + Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Ingress" +digest: 5442acaa90c6a45509015995028e241374b76d60cc700fbf6dd9f61178ba432f +createdAt: "2024-04-06T17:22:38Z" + diff --git a/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml b/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml new file mode 100644 index 000000000..27bb57185 --- /dev/null +++ b/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-host-match-tls + annotations: + policies.kyverno.io/title: Ingress Host Match TLS in CEL expressions + policies.kyverno.io/category: Other in CEL + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Ingress + policies.kyverno.io/description: >- + Ingress resources which name a host name that is not present + in the TLS section can produce ingress routing failures as a TLS + certificate may not correspond to the destination host. This policy + ensures that the host name in an Ingress rule is also found + in the list of TLS hosts. +spec: + background: false + validationFailureAction: Audit + rules: + - name: host-match-tls + match: + any: + - resources: + kinds: + - Ingress + validate: + cel: + variables: + - name: tls + expression: "has(object.spec.tls) ? object.spec.tls : []" + expressions: + - expression: >- + object.spec.rules.all(rule, + !has(rule.host) || + variables.tls.exists(tls, has(tls.hosts) && tls.hosts.exists(tlsHost, tlsHost == rule.host))) + message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]." + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..9722cde91 --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,39 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: limit-containers-per-pod +spec: + steps: + - name: step-01 + try: + - apply: + file: ../limit-containers-per-pod.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: limit-containers-per-pod + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..96992623a --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: pod01 + image: busybox:1.35 + - name: pod02 + image: busybox:1.35 + - name: pod03 + image: busybox:1.35 + - name: pod04 + image: busybox:1.35 + - name: pod05 + image: busybox:1.35 + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..c1f96536b --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: pod01 + image: busybox:1.35 + - name: pod02 + image: busybox:1.35 + - name: pod03 + image: busybox:1.35 + - name: pod04 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: pod01 + image: busybox:1.35 + - name: pod02 + image: busybox:1.35 + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..718cf5d4d --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,52 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:1.35 + - name: bb03 + image: busybox:1.35 + - name: bb04 + image: busybox:1.35 + - name: bb05 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:1.35 + - name: bb03 + image: busybox:1.35 + - name: bb04 + image: busybox:1.35 + - name: bb05 + image: busybox:1.35 + restartPolicy: OnFailure + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..1a380e941 --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:1.35 + - name: bb03 + image: busybox:1.35 + - name: bb04 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: bb01 + image: busybox:1.35 + - name: bb02 + image: busybox:1.35 + - name: bb03 + image: busybox:1.35 + - name: bb04 + image: busybox:1.35 + restartPolicy: OnFailure + diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..5623d2644 --- /dev/null +++ b/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-containers-per-pod +status: + ready: true + diff --git a/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml b/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..807b38981 --- /dev/null +++ b/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,34 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: limit-containers-per-pod +policies: +- ../limit-containers-per-pod.yaml +resources: +- resource.yaml +results: +- kind: CronJob + policy: limit-containers-per-pod + resources: + - mycronjob + result: fail + rule: autogen-cronjob-limit-containers-per-pod +- kind: Deployment + policy: limit-containers-per-pod + resources: + - mydeploy + result: pass + rule: autogen-limit-containers-per-pod +- kind: Pod + policy: limit-containers-per-pod + resources: + - myapp-pod-2 + result: fail + rule: limit-containers-per-pod +- kind: Pod + policy: limit-containers-per-pod + resources: + - myapp-pod-1 + result: pass + rule: limit-containers-per-pod + diff --git a/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml b/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml new file mode 100644 index 000000000..e39bdd108 --- /dev/null +++ b/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml @@ -0,0 +1,76 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod-1 + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx:latest + +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod-2 + labels: + app: myapp +spec: + containers: + - name: nginx1 + image: nginx:latest + - name: nginx2 + image: nginx:latest + - name: nginx3 + image: nginx:latest + - name: nginx4 + image: nginx:latest + - name: nginx5 + image: nginx:latest + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy +spec: + replicas: 2 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 + +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: mycronjob +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello1 + image: busybox + - name: hello2 + image: busybox + - name: hello3 + image: busybox + - name: hello4 + image: busybox + - name: hello5 + image: busybox + restartPolicy: OnFailure + diff --git a/other-cel/limit-containers-per-pod/artifacthub-pkg.yml b/other-cel/limit-containers-per-pod/artifacthub-pkg.yml new file mode 100644 index 000000000..92aa34409 --- /dev/null +++ b/other-cel/limit-containers-per-pod/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: limit-containers-per-pod-cel +version: 1.0.0 +displayName: Limit Containers per Pod in CEL expressions +description: >- + Pods can have many different containers which are tightly coupled. It may be desirable to limit the amount of containers that can be in a single Pod to control best practice application or so policy can be applied consistently. This policy checks all Pods to ensure they have no more than four containers. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml + ``` +keywords: + - kyverno + - Sample + - CEL Expressions +readme: | + Pods can have many different containers which are tightly coupled. It may be desirable to limit the amount of containers that can be in a single Pod to control best practice application or so policy can be applied consistently. This policy checks all Pods to ensure they have no more than four containers. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Pod" +digest: 7916672ede794217fb00144785594818cbb66f409c1d2f0d513cfeb944e92ed1 +createdAt: "2024-04-01T15:48:55Z" + diff --git a/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml b/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml new file mode 100644 index 000000000..022377acc --- /dev/null +++ b/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-containers-per-pod + annotations: + policies.kyverno.io/title: Limit Containers per Pod in CEL expressions + policies.kyverno.io/category: Sample in CEL + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Pods can have many different containers which + are tightly coupled. It may be desirable to limit the amount of containers that + can be in a single Pod to control best practice application or so policy can + be applied consistently. This policy checks all Pods to ensure they have + no more than four containers. +spec: + validationFailureAction: Audit + background: false + rules: + - name: limit-containers-per-pod + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "size(object.spec.containers) <= 4" + message: "Pods can only have a maximum of 4 containers." + diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..1d18ea171 --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,32 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: limit-hostpath-type-pv +spec: + steps: + - name: step-01 + try: + - apply: + file: ../limit-hostpath-type-pv.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: limit-hostpath-type-pv + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pv-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pv-bad.yaml + diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..4282df611 --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-hostpath-type-pv +status: + ready: true + diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml new file mode 100644 index 000000000..022e4ed2c --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: bad-pv01 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/etc" +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: bad-pv02 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/etc/data/home" + diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml new file mode 100644 index 000000000..2dd25ac99 --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: good-pv01 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/data" +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: good-pv02 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/data/home" + diff --git a/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml b/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..c736b0ec1 --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,22 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: limit-hostpath-type-pv +policies: +- ../limit-hostpath-type-pv.yaml +resources: +- resource.yaml +results: +- kind: PersistentVolume + policy: limit-hostpath-type-pv + resources: + - bad-pv + result: fail + rule: limit-hostpath-type-pv-to-slash-data +- kind: PersistentVolume + policy: limit-hostpath-type-pv + resources: + - good-pv + result: pass + rule: limit-hostpath-type-pv-to-slash-data + diff --git a/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml b/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml new file mode 100644 index 000000000..dd9a7b597 --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: good-pv + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/data" +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: bad-pv + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + hostPath: + path: "/etc" + diff --git a/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml b/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml new file mode 100644 index 000000000..5d0ee14d9 --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: limit-hostpath-type-pv-cel +version: 1.0.0 +displayName: Limit hostPath PersistentVolumes to Specific Directories in CEL expressions +description: >- + hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml + ``` +keywords: + - kyverno + - Other + - CEL Expressions +readme: | + hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "PersistentVolume" +digest: 981a66b5f77de02d3f6623b49c02421dd1adf4e9882d96a2e0219de9dba52672 +createdAt: "2024-04-04T17:35:35Z" + diff --git a/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml b/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml new file mode 100644 index 000000000..6004e0e42 --- /dev/null +++ b/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: limit-hostpath-type-pv + annotations: + policies.kyverno.io/title: Limit hostPath PersistentVolumes to Specific Directories in CEL expressions + policies.kyverno.io/category: Other in CEL + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: PersistentVolume + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes + are not to be universally disabled, they should be restricted to only certain + host paths so as not to allow access to sensitive information. This policy ensures + the only directory that can be mounted as a hostPath volume is /data. +spec: + background: false + validationFailureAction: Audit + rules: + - name: limit-hostpath-type-pv-to-slash-data + match: + any: + - resources: + kinds: + - PersistentVolume + validate: + cel: + expressions: + - expression: "!has(object.spec.hostPath) || object.spec.hostPath.path.startsWith('/data')" + message: hostPath type persistent volumes are confined to /data. +