feat: add best practices policies in CEL expressions

best-practices-cel/restrict-node-port/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-nodeport
+status:
+  ready: true

best-practices-cel/restrict-node-port/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,31 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-node-port
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../restrict-node-port.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: restrict-nodeport
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../../../best-practices/restrict-node-port/.chainsaw-test/good-services.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../best-practices/restrict-node-port/.chainsaw-test/bad-service-nodeport.yaml

best-practices-cel/restrict-node-port/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,22 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: restrict-node-port
+policies:
+- ../restrict-node-port.yaml
+resources:
+- ../../../best-practices/restrict-node-port/.kyverno-test/resource.yaml
+results:
+- kind: Service
+  policy: restrict-nodeport
+  resources:
+  - badservice01
+  result: fail
+  rule: validate-nodeport
+- kind: Service
+  policy: restrict-nodeport
+  resources:
+  - goodservice01
+  - goodservice02
+  result: pass
+  rule: validate-nodeport

best-practices-cel/restrict-node-port/artifacthub-pkg.yml

@@ -0,0 +1,23 @@
+name: restrict-node-port-cel
+version: 1.0.0
+displayName: Disallow NodePort in CEL expressions
+description: >-
+  A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/restrict-node-port/restrict-node-port.yaml
+  ```
+keywords:
+  - kyverno
+  - Best Practices
+  - CEL Expressions
+readme: |
+  A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Best Practices in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Service"
+digest: 5c8a4a1f91ddc77b22ae5d75933746f421ee98330cd1c61b7023a0fd004f57b4
+createdAt: "2024-03-06T14:04:34Z"

best-practices-cel/restrict-node-port/restrict-node-port.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-nodeport
+  annotations:
+    policies.kyverno.io/title: Disallow NodePort in CEL expressions
+    policies.kyverno.io/category: Best Practices in CEL 
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Service
+    policies.kyverno.io/description: >-
+      A Kubernetes Service of type NodePort uses a host port to receive traffic from
+      any source. A NetworkPolicy cannot be used to control traffic to host ports.
+      Although NodePort Services can be useful, their use must be limited to Services
+      with additional upstream security checks. This policy validates that any new Services
+      do not use the `NodePort` type.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: validate-nodeport
+    match:
+      any:
+      - resources:
+          kinds:
+          - Service
+    validate:
+      cel:
+        expressions:
+          - expression: "has(object.spec.type) ? (object.spec.type != 'NodePort') : true"
+            message: "Services of type NodePort are not allowed."