2019-05-16 21:37:54 +03:00
package engine
import (
2022-12-09 14:45:11 +01:00
"context"
2019-05-16 21:37:54 +03:00
"encoding/json"
2022-01-04 17:36:33 -08:00
"strings"
2019-05-16 21:37:54 +03:00
"testing"
2023-05-12 16:14:48 +02:00
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
2024-06-20 11:44:43 +02:00
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
2023-01-31 15:30:40 +01:00
"github.com/kyverno/kyverno/pkg/config"
2023-06-14 12:06:52 +02:00
"github.com/kyverno/kyverno/pkg/engine/adapters"
2023-01-30 12:41:09 +01:00
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
2023-06-26 22:46:30 +02:00
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
2023-06-16 19:07:08 +05:30
"github.com/kyverno/kyverno/pkg/engine/factories"
2023-08-07 01:24:52 +05:30
"github.com/kyverno/kyverno/pkg/imageverifycache"
2022-12-07 16:08:37 +01:00
"github.com/kyverno/kyverno/pkg/registryclient"
2023-01-03 10:33:09 +01:00
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
2023-01-03 13:02:15 +01:00
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
2019-05-16 21:37:54 +03:00
"gotest.tools/assert"
2022-04-06 22:43:07 +02:00
admissionv1 "k8s.io/api/admission/v1"
2023-05-12 16:14:48 +02:00
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
2019-05-16 21:37:54 +03:00
)
2023-02-08 14:19:56 +01:00
func testValidate (
ctx context . Context ,
rclient registryclient . Client ,
pContext * PolicyContext ,
cfg config . Configuration ,
contextLoader engineapi . ContextLoaderFactory ,
2023-03-22 15:55:00 +01:00
) engineapi . EngineResponse {
2023-02-08 14:19:56 +01:00
if contextLoader == nil {
2023-06-16 19:07:08 +05:30
contextLoader = factories . DefaultContextLoaderFactory ( nil )
2023-02-08 14:19:56 +01:00
}
2023-02-06 13:49:04 +01:00
e := NewEngine (
cfg ,
2023-04-04 17:07:43 +02:00
config . NewDefaultMetricsConfiguration ( ) ,
2023-04-13 13:29:40 +02:00
jp ,
2023-02-07 16:09:15 +01:00
nil ,
2023-06-16 19:07:08 +05:30
factories . DefaultRegistryClientFactory ( adapters . RegistryClient ( rclient ) , nil ) ,
2023-08-07 01:24:52 +05:30
imageverifycache . DisabledImageVerifyCache ( ) ,
2023-02-08 14:19:56 +01:00
contextLoader ,
2023-02-06 06:49:47 +01:00
nil ,
2024-12-19 09:42:54 +02:00
nil ,
2023-02-06 13:49:04 +01:00
)
return e . Validate (
ctx ,
2023-01-31 15:30:40 +01:00
pContext ,
)
}
2023-05-12 16:14:48 +02:00
func newPolicyContext (
t * testing . T ,
resource unstructured . Unstructured ,
2023-12-03 23:35:36 -08:00
operation kyvernov1 . AdmissionOperation ,
2024-06-20 11:44:43 +02:00
admissionInfo * kyvernov2 . RequestInfo ,
2023-05-12 16:14:48 +02:00
) * PolicyContext {
t . Helper ( )
p , err := NewPolicyContext ( jp , resource , operation , admissionInfo , cfg )
assert . NilError ( t , err )
return p
}
2019-09-25 15:12:33 -07:00
func TestValidate_image_tag_fail ( t * testing . T ) {
// If image tag is latest then imagepull policy needs to be checked
2019-09-05 12:44:38 -07:00
rawPolicy := [ ] byte ( ` {
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-05 12:44:38 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-image"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-tag" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "An image tag is required" ,
"pattern" : {
"spec" : {
"containers" : [
{
"image" : "*:*"
}
]
}
}
}
} ,
{
"name" : "validate-latest" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "imagePullPolicy 'Always' required with tag 'latest'" ,
"pattern" : {
"spec" : {
"containers" : [
{
2019-09-26 11:00:30 -07:00
"(image)" : "*latest" ,
2019-09-25 15:12:33 -07:00
"imagePullPolicy" : "NotPresent"
2019-09-05 12:44:38 -07:00
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "myapp"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
2019-09-25 15:12:33 -07:00
"image" : "nginx:latest" ,
"imagePullPolicy" : "Always"
2019-09-05 12:44:38 -07:00
}
]
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-05 12:44:38 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-05 12:44:38 -07:00
assert . NilError ( t , err )
2019-10-01 12:35:14 -07:00
msgs := [ ] string {
2020-12-07 11:26:04 -08:00
"validation rule 'validate-tag' passed." ,
2022-05-15 02:34:35 +05:30
"validation error: imagePullPolicy 'Always' required with tag 'latest'. rule validate-latest failed at path /spec/containers/0/imagePullPolicy/" ,
2019-10-01 12:35:14 -07:00
}
2021-09-26 02:12:31 -07:00
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2019-10-01 12:35:14 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-10-01 12:35:14 -07:00
}
2021-09-26 02:12:31 -07:00
2020-06-30 11:53:27 -07:00
assert . Assert ( t , ! er . IsSuccessful ( ) )
2019-09-05 12:44:38 -07:00
}
2019-09-25 15:12:33 -07:00
func TestValidate_image_tag_pass ( t * testing . T ) {
// If image tag is latest then imagepull policy needs to be checked
rawPolicy := [ ] byte ( ` {
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-25 15:12:33 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-image"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-tag" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "An image tag is required" ,
"pattern" : {
"spec" : {
"containers" : [
{
"image" : "*:*"
}
]
}
}
}
} ,
{
"name" : "validate-latest" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "imagePullPolicy 'Always' required with tag 'latest'" ,
"pattern" : {
"spec" : {
"containers" : [
{
2019-09-26 11:00:30 -07:00
"(image)" : "*latest" ,
2019-09-25 15:12:33 -07:00
"imagePullPolicy" : "Always"
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "myapp"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx:latest" ,
"imagePullPolicy" : "Always"
}
]
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-25 15:12:33 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-25 15:12:33 -07:00
assert . NilError ( t , err )
2019-10-01 12:35:14 -07:00
msgs := [ ] string {
2020-12-07 11:26:04 -08:00
"validation rule 'validate-tag' passed." ,
"validation rule 'validate-latest' passed." ,
2019-10-01 12:35:14 -07:00
}
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2019-10-01 12:35:14 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-10-01 12:35:14 -07:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , er . IsSuccessful ( ) )
2019-09-25 15:12:33 -07:00
}
2019-09-05 12:44:38 -07:00
func TestValidate_Fail_anyPattern ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-05 12:44:38 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-namespace"
} ,
"spec" : {
"rules" : [
{
"name" : "check-default-namespace" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "A namespace is required" ,
"anyPattern" : [
{
"metadata" : {
"namespace" : "?*"
}
} ,
{
"metadata" : {
"namespace" : "!default"
}
}
]
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "myapp"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx"
}
]
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-05 12:44:38 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-05 12:44:38 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2020-12-23 15:10:07 -08:00
assert . Assert ( t , ! er . IsSuccessful ( ) )
2022-05-15 02:34:35 +05:30
msgs := [ ] string { "validation error: A namespace is required. rule check-default-namespace[0] failed at path /metadata/namespace/ rule check-default-namespace[1] failed at path /metadata/namespace/" }
2019-09-05 12:44:38 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-09-05 12:44:38 -07:00
}
}
2019-09-09 16:08:15 -07:00
func TestValidate_host_network_port ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-09 16:08:15 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-host-network-port"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-host-network-port" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "Host network and port are not allowed" ,
"pattern" : {
"spec" : {
"hostNetwork" : false ,
"containers" : [
{
"name" : "*" ,
"ports" : [
{
"hostPort" : null
}
]
}
]
}
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "nginx-host-network"
} ,
"spec" : {
"hostNetwork" : false ,
"containers" : [
{
"name" : "nginx-host-network" ,
"image" : "nginx" ,
"ports" : [
{
"containerPort" : 80 ,
"hostPort" : 80
}
]
}
]
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-09 16:08:15 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-09 16:08:15 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2022-05-15 02:34:35 +05:30
msgs := [ ] string { "validation error: Host network and port are not allowed. rule validate-host-network-port failed at path /spec/containers/0/ports/0/hostPort/" }
2019-09-09 16:08:15 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-09-09 16:08:15 -07:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , ! er . IsSuccessful ( ) )
2019-09-09 16:08:15 -07:00
}
2019-09-25 15:12:33 -07:00
func TestValidate_anchor_arraymap_pass ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-25 15:12:33 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-host-path"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-host-path" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "Host path '/var/lib/' is not allowed" ,
"pattern" : {
"spec" : {
"volumes" : [
{
"name" : "*" ,
2019-10-01 13:08:34 -07:00
"=(hostPath)" : {
2019-09-25 15:12:33 -07:00
"path" : "!/var/lib"
}
}
]
}
}
}
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-09-25 15:12:33 -07:00
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "image-with-hostpath" ,
"labels" : {
"app.type" : "prod" ,
"namespace" : "my-namespace"
}
} ,
"spec" : {
"containers" : [
{
"name" : "image-with-hostpath" ,
"image" : "docker.io/nautiker/curl" ,
"volumeMounts" : [
{
"name" : "var-lib-etcd" ,
"mountPath" : "/var/lib"
}
]
}
] ,
"volumes" : [
{
"name" : "var-lib-etcd" ,
"hostPath" : {
"path" : "/var/lib1"
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-25 15:12:33 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-25 15:12:33 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2020-12-07 11:26:04 -08:00
msgs := [ ] string { "validation rule 'validate-host-path' passed." }
2019-09-25 15:12:33 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-09-25 15:12:33 -07:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , er . IsSuccessful ( ) )
2019-09-25 15:12:33 -07:00
}
func TestValidate_anchor_arraymap_fail ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-25 15:12:33 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-host-path"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-host-path" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "Host path '/var/lib/' is not allowed" ,
"pattern" : {
"spec" : {
"volumes" : [
{
2019-10-01 13:08:34 -07:00
"=(hostPath)" : {
2019-09-25 15:12:33 -07:00
"path" : "!/var/lib"
}
}
]
}
}
}
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-09-25 15:12:33 -07:00
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "image-with-hostpath" ,
"labels" : {
"app.type" : "prod" ,
"namespace" : "my-namespace"
}
} ,
"spec" : {
"containers" : [
{
"name" : "image-with-hostpath" ,
"image" : "docker.io/nautiker/curl" ,
"volumeMounts" : [
{
"name" : "var-lib-etcd" ,
"mountPath" : "/var/lib"
}
]
}
] ,
"volumes" : [
{
"name" : "var-lib-etcd" ,
"hostPath" : {
"path" : "/var/lib"
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-25 15:12:33 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2022-05-15 02:34:35 +05:30
msgs := [ ] string { "validation error: Host path '/var/lib/' is not allowed. rule validate-host-path failed at path /spec/volumes/0/hostPath/path/" }
2019-09-25 15:12:33 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-09-25 15:12:33 -07:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , ! er . IsSuccessful ( ) )
2019-09-25 15:12:33 -07:00
}
func TestValidate_anchor_map_notfound ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( ` {
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-25 15:12:33 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod rule 2" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "pod: validate run as non root user" ,
"pattern" : {
"spec" : {
2019-10-01 13:08:34 -07:00
"=(securityContext)" : {
2019-09-25 15:12:33 -07:00
"runAsNonRoot" : true
}
}
}
}
}
]
}
} ` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx"
}
]
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-25 15:12:33 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-25 15:12:33 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2020-12-07 11:26:04 -08:00
msgs := [ ] string { "validation rule 'pod rule 2' passed." }
2019-09-25 15:12:33 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-09-25 15:12:33 -07:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , er . IsSuccessful ( ) )
2019-09-25 15:12:33 -07:00
}
2024-01-29 19:34:41 +05:30
func TestValidate_foreach_zero_reported_asskip ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "check-sa-tokens" ,
"annotations" : {
"pod-policies.kyverno.io/autogen-controllers" : "none"
}
} ,
"spec" : {
"background" : true ,
"rules" : [
{
"name" : "check-token-exp" ,
"match" : {
"resources" : {
"kinds" : [ "Pod" ]
}
} ,
"validate" : {
2024-08-27 23:07:57 +03:00
"failureAction" : "Enforce" ,
2024-01-29 19:34:41 +05:30
"foreach" : [
{
"list" : "request.object.spec.volumes[].projected.sources[].serviceAccountToken.expirationSeconds" ,
"deny" : {
"conditions" : {
"any" : [
{
"key" : "{{ element }}" ,
"operator" : "GreaterThan" ,
"value" : 3600 ,
"message" : "expirationSeconds must be less than 1 hour"
}
]
}
}
}
]
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "my-pod"
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx" ,
"volumeMounts" : [
{
"mountPath" : "/var/run/secrets/tokens" ,
"name" : "my-proj-vol"
}
]
}
] ,
"serviceAccountName" : "my-service-account"
}
}
` )
var policy kyvernov1 . ClusterPolicy
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
assert . NilError ( t , err )
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
msgs := [ ] string { "validation rule 'check-token-exp' passed." }
for index , r := range er . PolicyResponse . Rules {
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
}
assert . Assert ( t , er . IsSuccessful ( ) )
}
2019-09-25 15:12:33 -07:00
func TestValidate_anchor_map_found_valid ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( ` {
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-25 15:12:33 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod rule 2" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "pod: validate run as non root user" ,
"pattern" : {
"spec" : {
2019-10-01 13:08:34 -07:00
"=(securityContext)" : {
2019-09-25 15:12:33 -07:00
"runAsNonRoot" : true
}
}
}
}
}
]
}
} ` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx"
}
] ,
"securityContext" : {
"runAsNonRoot" : true
}
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-25 15:12:33 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-25 15:12:33 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2020-12-07 11:26:04 -08:00
msgs := [ ] string { "validation rule 'pod rule 2' passed." }
2019-09-25 15:12:33 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-09-25 15:12:33 -07:00
}
2020-12-23 15:10:07 -08:00
2021-04-28 23:31:55 +03:00
assert . Assert ( t , er . IsSuccessful ( ) )
}
func TestValidate_inequality_List_Processing ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod rule 2" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "pod: validate run as non root user" ,
"pattern" : {
"spec" : {
"=(supplementalGroups)" : ">0"
}
}
}
}
]
}
} ` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx"
}
] ,
"supplementalGroups" : [
"2" ,
"5" ,
"10"
]
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2021-04-28 23:31:55 +03:00
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2021-04-28 23:31:55 +03:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2021-04-28 23:31:55 +03:00
msgs := [ ] string { "validation rule 'pod rule 2' passed." }
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2021-04-28 23:31:55 +03:00
}
assert . Assert ( t , er . IsSuccessful ( ) )
}
func TestValidate_inequality_List_ProcessingBrackets ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod rule 2" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "pod: validate run as non root user" ,
"pattern" : {
"spec" : {
"=(supplementalGroups)" : [
">0 & <100001"
]
}
}
}
}
]
}
} ` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx"
}
] ,
"supplementalGroups" : [
"2" ,
"5" ,
"10" ,
"100" ,
"10000" ,
"1000" ,
"543"
]
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2021-04-28 23:31:55 +03:00
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2021-04-28 23:31:55 +03:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2021-04-28 23:31:55 +03:00
msgs := [ ] string { "validation rule 'pod rule 2' passed." }
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2021-04-28 23:31:55 +03:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , er . IsSuccessful ( ) )
2019-09-25 15:12:33 -07:00
}
func TestValidate_anchor_map_found_invalid ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( ` {
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-25 15:12:33 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod rule 2" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "pod: validate run as non root user" ,
"pattern" : {
"spec" : {
2019-10-01 13:08:34 -07:00
"=(securityContext)" : {
2019-09-25 15:12:33 -07:00
"runAsNonRoot" : true
}
}
}
}
}
]
}
} ` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx" ,
"image" : "nginx"
}
] ,
"securityContext" : {
"runAsNonRoot" : false
}
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-25 15:12:33 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-25 15:12:33 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2022-05-15 02:34:35 +05:30
msgs := [ ] string { "validation error: pod: validate run as non root user. rule pod rule 2 failed at path /spec/securityContext/runAsNonRoot/" }
2019-09-25 15:12:33 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-09-25 15:12:33 -07:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , ! er . IsSuccessful ( ) )
2019-09-25 15:12:33 -07:00
}
2019-09-25 21:01:45 -07:00
func TestValidate_AnchorList_pass ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-25 21:01:45 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod image rule" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"pattern" : {
"spec" : {
2019-10-01 13:08:34 -07:00
"=(containers)" : [
2019-09-25 21:01:45 -07:00
{
"name" : "nginx"
}
]
}
}
}
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-09-25 21:01:45 -07:00
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx"
} ,
{
"name" : "nginx"
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-09-25 21:01:45 -07:00
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-25 21:01:45 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-25 21:01:45 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2020-12-07 11:26:04 -08:00
msgs := [ ] string { "validation rule 'pod image rule' passed." }
2019-09-25 21:01:45 -07:00
2019-10-01 12:35:14 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
t . Log ( r . Message ( ) )
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-10-01 12:35:14 -07:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , er . IsSuccessful ( ) )
2019-09-25 21:01:45 -07:00
}
func TestValidate_AnchorList_fail ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-25 21:01:45 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod image rule" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"pattern" : {
"spec" : {
2019-10-01 13:08:34 -07:00
"=(containers)" : [
2019-09-25 21:01:45 -07:00
{
"name" : "nginx"
}
]
}
}
}
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-09-25 21:01:45 -07:00
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx"
} ,
{
"name" : "busy"
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-09-25 21:01:45 -07:00
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-25 21:01:45 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-25 21:01:45 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2020-06-30 11:53:27 -07:00
assert . Assert ( t , ! er . IsSuccessful ( ) )
2019-09-25 21:01:45 -07:00
}
func TestValidate_existenceAnchor_fail ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-25 21:01:45 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod image rule" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"pattern" : {
"spec" : {
"^(containers)" : [
{
"name" : "nginx"
}
]
}
}
}
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-09-25 21:01:45 -07:00
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "busy1"
} ,
{
"name" : "busy"
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-09-25 21:01:45 -07:00
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-25 21:01:45 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-25 21:01:45 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2020-06-30 11:53:27 -07:00
assert . Assert ( t , ! er . IsSuccessful ( ) )
2019-09-25 21:01:45 -07:00
}
func TestValidate_existenceAnchor_pass ( t * testing . T ) {
// anchor not present in resource
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-09-25 21:01:45 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "policy-secaas-k8s"
} ,
"spec" : {
"rules" : [
{
"name" : "pod image rule" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"pattern" : {
"spec" : {
"^(containers)" : [
{
"name" : "nginx"
}
]
}
}
}
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-09-25 21:01:45 -07:00
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "myapp-pod" ,
"labels" : {
"app" : "v1"
}
} ,
"spec" : {
"containers" : [
{
"name" : "nginx"
} ,
{
"name" : "busy"
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-09-25 21:01:45 -07:00
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-09-25 21:01:45 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-09-25 21:01:45 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2020-12-07 11:26:04 -08:00
msgs := [ ] string { "validation rule 'pod image rule' passed." }
2019-09-25 21:01:45 -07:00
2019-10-01 12:35:14 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-10-01 12:35:14 -07:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , er . IsSuccessful ( ) )
2019-09-25 21:01:45 -07:00
}
2019-10-10 17:34:20 -07:00
func TestValidate_negationAnchor_deny ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-10-10 17:34:20 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-host-path"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-host-path" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "Host path is not allowed" ,
"pattern" : {
"spec" : {
"volumes" : [
{
"name" : "*" ,
"X(hostPath)" : null
}
]
}
}
}
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-10-10 17:34:20 -07:00
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "image-with-hostpath" ,
"labels" : {
"app.type" : "prod" ,
"namespace" : "my-namespace"
}
} ,
"spec" : {
"containers" : [
{
"name" : "image-with-hostpath" ,
"image" : "docker.io/nautiker/curl" ,
"volumeMounts" : [
{
"name" : "var-lib-etcd" ,
"mountPath" : "/var/lib"
}
]
}
] ,
"volumes" : [
{
"name" : "var-lib-etcd" ,
"hostPath" : {
"path" : "/var/lib1"
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-10-10 17:34:20 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-10-10 17:34:20 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2022-05-15 02:34:35 +05:30
msgs := [ ] string { "validation error: Host path is not allowed. rule validate-host-path failed at path /spec/volumes/0/hostPath/" }
2019-10-10 17:34:20 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-10-10 17:34:20 -07:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , ! er . IsSuccessful ( ) )
2019-10-10 17:34:20 -07:00
}
func TestValidate_negationAnchor_pass ( t * testing . T ) {
rawPolicy := [ ] byte ( `
{
2019-11-13 13:56:07 -08:00
"apiVersion" : "kyverno.io/v1" ,
2019-10-10 17:34:20 -07:00
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "validate-host-path"
} ,
"spec" : {
"rules" : [
{
"name" : "validate-host-path" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"message" : "Host path is not allowed" ,
"pattern" : {
"spec" : {
"volumes" : [
{
"name" : "*" ,
"X(hostPath)" : null
}
]
}
}
}
}
]
}
2022-05-15 02:34:35 +05:30
}
2019-10-10 17:34:20 -07:00
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "image-with-hostpath" ,
"labels" : {
"app.type" : "prod" ,
"namespace" : "my-namespace"
}
} ,
"spec" : {
"containers" : [
{
"name" : "image-with-hostpath" ,
"image" : "docker.io/nautiker/curl" ,
"volumeMounts" : [
{
"name" : "var-lib-etcd" ,
"mountPath" : "/var/lib"
}
]
}
] ,
"volumes" : [
{
"name" : "var-lib-etcd" ,
"emptyDir" : { }
}
]
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2019-10-10 17:34:20 -07:00
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2019-10-10 17:34:20 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2020-12-07 11:26:04 -08:00
msgs := [ ] string { "validation rule 'validate-host-path' passed." }
2019-10-10 17:34:20 -07:00
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2019-10-10 17:34:20 -07:00
}
2020-06-30 11:53:27 -07:00
assert . Assert ( t , er . IsSuccessful ( ) )
2019-10-10 17:34:20 -07:00
}
2020-01-09 17:44:11 -08:00
func Test_VariableSubstitutionPathNotExistInPattern ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "check-root-user"
} ,
"spec" : {
"containers" : [
{
"name" : "check-root-user-a" ,
"image" : "nginxinc/nginx-unprivileged" ,
"securityContext" : {
"runAsNonRoot" : true
}
}
]
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
2020-01-24 12:05:53 -08:00
"name" : "substitute-variable"
2020-01-09 17:44:11 -08:00
} ,
"spec" : {
"rules" : [
{
"name" : "test-path-not-exist" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"validate" : {
"pattern" : {
"spec" : {
"containers" : [
{
"name" : "{{request.object.metadata.name1}}*"
}
]
}
}
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-03-24 00:35:05 +05:30
err := json . Unmarshal ( policyraw , & policy )
assert . NilError ( t , err )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( resourceRaw )
2020-01-09 17:44:11 -08:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
policyContext := newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy )
2023-02-08 14:19:56 +01:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , policyContext , cfg , nil )
2022-01-04 17:36:33 -08:00
assert . Equal ( t , len ( er . PolicyResponse . Rules ) , 1 )
2023-04-05 12:35:38 +02:00
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Status ( ) , engineapi . RuleStatusError )
assert . Assert ( t , strings . Contains ( er . PolicyResponse . Rules [ 0 ] . Message ( ) , "Unknown key \"name1\" in path" ) )
2020-01-09 17:44:11 -08:00
}
2021-03-11 22:06:04 +02:00
func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfiesButSubstitutionFails ( t * testing . T ) {
2020-01-09 17:44:11 -08:00
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "test"
} ,
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "test-pod" ,
"image" : "nginxinc/nginx-unprivileged"
}
]
}
}
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
2020-01-24 12:05:53 -08:00
"name" : "substitute-variable"
2020-01-09 17:44:11 -08:00
} ,
"spec" : {
"rules" : [
{
"name" : "test-path-not-exist" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
"validate" : {
"anyPattern" : [
{
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "{{request.object.metadata.name1}}*"
}
]
}
}
}
} ,
{
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "{{request.object.metadata.name}}*"
}
]
}
}
}
}
]
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-01-09 17:44:11 -08:00
assert . NilError ( t , json . Unmarshal ( policyraw , & policy ) )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( resourceRaw )
2020-01-09 17:44:11 -08:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
policyContext := newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy )
2023-02-08 14:19:56 +01:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , policyContext , cfg , nil )
2022-01-04 17:36:33 -08:00
assert . Equal ( t , len ( er . PolicyResponse . Rules ) , 1 )
2023-04-05 12:35:38 +02:00
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Status ( ) , engineapi . RuleStatusError )
assert . Assert ( t , strings . Contains ( er . PolicyResponse . Rules [ 0 ] . Message ( ) , "Unknown key \"name1\" in path" ) )
2020-01-09 17:44:11 -08:00
}
2021-04-14 13:09:00 -07:00
func Test_VariableSubstitution_NotOperatorWithStringVariable ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "test"
} ,
"spec" : {
"content" : "sample text"
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "substitute-variable"
} ,
"spec" : {
"rules" : [
{
"name" : "not-operator-with-variable-should-alway-fail-validation" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
"validate" : {
"pattern" : {
"spec" : {
"content" : "!{{ request.object.spec.content }}"
}
}
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2021-04-14 13:09:00 -07:00
assert . NilError ( t , json . Unmarshal ( policyraw , & policy ) )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( resourceRaw )
2021-04-14 13:09:00 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
policyContext := newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy )
2023-02-08 14:19:56 +01:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , policyContext , cfg , nil )
2023-04-05 12:35:38 +02:00
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Status ( ) , engineapi . RuleStatusFail )
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Message ( ) , "validation error: rule not-operator-with-variable-should-alway-fail-validation failed at path /spec/content/" )
2021-04-14 13:09:00 -07:00
}
2020-01-09 17:44:11 -08:00
func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "test"
} ,
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "test-pod" ,
"image" : "nginxinc/nginx-unprivileged"
}
]
}
}
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
2020-01-24 12:05:53 -08:00
"name" : "substitute-variable"
2020-01-09 17:44:11 -08:00
} ,
"spec" : {
"rules" : [
{
"name" : "test-path-not-exist" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
"validate" : {
"anyPattern" : [
{
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "{{request.object.metadata.name1}}*"
}
]
}
}
}
} ,
{
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "{{request.object.metadata.name2}}*"
}
]
}
}
}
}
]
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-01-09 17:44:11 -08:00
assert . NilError ( t , json . Unmarshal ( policyraw , & policy ) )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( resourceRaw )
2020-01-09 17:44:11 -08:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
policyContext := newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy )
2023-02-08 14:19:56 +01:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , policyContext , cfg , nil )
2022-01-04 17:36:33 -08:00
assert . Equal ( t , len ( er . PolicyResponse . Rules ) , 1 )
2023-04-05 12:35:38 +02:00
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Status ( ) , engineapi . RuleStatusError )
assert . Assert ( t , strings . Contains ( er . PolicyResponse . Rules [ 0 ] . Message ( ) , "Unknown key \"name1\" in path" ) )
2020-01-09 17:44:11 -08:00
}
func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatternSatisfy ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "test"
} ,
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "pod-test-pod" ,
"image" : "nginxinc/nginx-unprivileged"
}
]
}
}
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
2020-01-24 12:05:53 -08:00
"name" : "substitute-variable"
2020-01-09 17:44:11 -08:00
} ,
"spec" : {
"rules" : [
{
"name" : "test-path-not-exist" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
"validate" : {
"anyPattern" : [
{
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "{{request.object.metadata.name}}*"
}
]
}
}
}
} ,
{
"spec" : {
"template" : {
"spec" : {
"containers" : [
{
"name" : "{{request.object.metadata.name}}*"
}
]
}
}
}
}
]
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2020-01-09 17:44:11 -08:00
assert . NilError ( t , json . Unmarshal ( policyraw , & policy ) )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( resourceRaw )
2020-01-09 17:44:11 -08:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
policyContext := newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy )
2023-02-08 14:19:56 +01:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , policyContext , cfg , nil )
2020-01-09 17:44:11 -08:00
2023-04-05 12:35:38 +02:00
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Status ( ) , engineapi . RuleStatusFail )
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Message ( ) ,
2022-05-15 02:34:35 +05:30
"validation error: rule test-path-not-exist[0] failed at path /spec/template/spec/containers/0/name/ rule test-path-not-exist[1] failed at path /spec/template/spec/containers/0/name/" )
2020-01-09 17:44:11 -08:00
}
2020-05-07 02:35:24 +05:30
2021-04-13 21:44:43 +03:00
func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "apps/v1" ,
"kind" : "Deployment" ,
"metadata" : {
"name" : "busybox" ,
"labels" : {
"app" : "busybox" ,
"color" : "red" ,
"animal" : "cow" ,
"food" : "pizza" ,
"car" : "jeep" ,
"env" : "qa"
}
} ,
"spec" : {
"replicas" : 1 ,
"selector" : {
"matchLabels" : {
"app" : "busybox"
}
} ,
"template" : {
"metadata" : {
"labels" : {
"app" : "busybox"
}
} ,
"spec" : {
"containers" : [
{
"image" : "busybox:1.28" ,
"name" : "busybox" ,
"command" : [
"sleep" ,
"9999"
]
}
]
}
}
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "cm-array-example"
} ,
"spec" : {
"background" : false ,
"rules" : [
{
"name" : "validate-role-annotation" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
"validate" : {
2024-08-27 23:07:57 +03:00
"failureAction" : "enforce" ,
2021-04-13 21:44:43 +03:00
"message" : "The animal {{ request.object.metadata.labels.animal }} is not in the allowed list of animals." ,
"deny" : {
"conditions" : [
{
"key" : "{{ request.object.metadata.labels.animal }}" ,
"operator" : "NotIn" ,
2021-04-14 13:09:00 -07:00
"value" : [
"snake" ,
"bear" ,
"cat" ,
"dog"
]
2021-04-13 21:44:43 +03:00
}
]
}
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2021-04-13 21:44:43 +03:00
assert . NilError ( t , json . Unmarshal ( policyraw , & policy ) )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( resourceRaw )
2021-04-13 21:44:43 +03:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
policyContext := newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy )
2023-02-08 14:19:56 +01:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , policyContext , cfg , nil )
2023-04-05 12:35:38 +02:00
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Status ( ) , engineapi . RuleStatusFail )
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Message ( ) , "The animal cow is not in the allowed list of animals." )
2021-04-13 21:44:43 +03:00
}
2021-04-15 17:33:34 -07:00
func Test_Flux_Kustomization_PathNotPresent ( t * testing . T ) {
tests := [ ] struct {
2021-09-27 23:40:05 -07:00
name string
policyRaw [ ] byte
resourceRaw [ ] byte
2023-01-30 12:41:09 +01:00
expectedResults [ ] engineapi . RuleStatus
2021-09-26 02:12:31 -07:00
expectedMessages [ ] string
2021-04-15 17:33:34 -07:00
} {
{
name : "path-not-present" ,
policyRaw : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata": { "name":"flux-multi-tenancy"},"spec": { "validationFailureAction":"enforce","rules":[ { "name":"serviceAccountName","exclude": { "resources": { "namespaces":["flux-system"]}},"match": { "resources": { "kinds":["Kustomization","HelmRelease"]}},"validate": { "message":".spec.serviceAccountName is required","pattern": { "spec": { "serviceAccountName":"?*"}}}}, { "name":"sourceRefNamespace","exclude": { "resources": { "namespaces":["flux-system"]}},"match": { "resources": { "kinds":["Kustomization","HelmRelease"]}},"validate": { "message":"spec.sourceRef.namespace must be the same as metadata.namespace","deny": { "conditions":[ { "key":" {{ request .object .spec .sourceRef .namespace }} ","operator":"NotEquals","value":" {{ request .object .metadata .namespace }} "}]}}}]}} ` ) ,
// referred variable path not present
2021-09-27 23:40:05 -07:00
resourceRaw : [ ] byte ( ` { "apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata": { "name":"dev-team","namespace":"apps"},"spec": { "serviceAccountName":"dev-team","interval":"5m","sourceRef": { "kind":"GitRepository","name":"dev-team"},"prune":true,"validation":"client"}} ` ) ,
2023-01-30 12:41:09 +01:00
expectedResults : [ ] engineapi . RuleStatus { engineapi . RuleStatusPass , engineapi . RuleStatusError } ,
2023-06-13 14:51:08 +02:00
expectedMessages : [ ] string { "validation rule 'serviceAccountName' passed." , "failed to check deny conditions: failed to substitute variables in condition key: failed to resolve request.object.spec.sourceRef.namespace at path : JMESPath query failed: Unknown key \"namespace\" in path" } ,
2021-04-15 17:33:34 -07:00
} ,
{
name : "resource-with-violation" ,
policyRaw : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata": { "name":"flux-multi-tenancy"},"spec": { "validationFailureAction":"enforce","rules":[ { "name":"serviceAccountName","exclude": { "resources": { "namespaces":["flux-system"]}},"match": { "resources": { "kinds":["Kustomization","HelmRelease"]}},"validate": { "message":".spec.serviceAccountName is required","pattern": { "spec": { "serviceAccountName":"?*"}}}}, { "name":"sourceRefNamespace","exclude": { "resources": { "namespaces":["flux-system"]}},"match": { "resources": { "kinds":["Kustomization","HelmRelease"]}},"validate": { "message":"spec.sourceRef.namespace {{ request .object .spec .sourceRef .namespace }} must be the same as metadata.namespace {{ request .object .metadata .namespace }} ","deny": { "conditions":[ { "key":" {{ request .object .spec .sourceRef .namespace }} ","operator":"NotEquals","value":" {{ request .object .metadata .namespace }} "}]}}}]}} ` ) ,
// referred variable path present with different value
2021-09-27 23:40:05 -07:00
resourceRaw : [ ] byte ( ` { "apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata": { "name":"dev-team","namespace":"apps"},"spec": { "serviceAccountName":"dev-team","interval":"5m","sourceRef": { "kind":"GitRepository","name":"dev-team","namespace":"default"},"prune":true,"validation":"client"}} ` ) ,
2023-01-30 12:41:09 +01:00
expectedResults : [ ] engineapi . RuleStatus { engineapi . RuleStatusPass , engineapi . RuleStatusFail } ,
2021-09-26 02:12:31 -07:00
expectedMessages : [ ] string { "validation rule 'serviceAccountName' passed." , "spec.sourceRef.namespace default must be the same as metadata.namespace apps" } ,
2021-04-15 17:33:34 -07:00
} ,
{
name : "resource-comply" ,
policyRaw : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata": { "name":"flux-multi-tenancy"},"spec": { "validationFailureAction":"enforce","rules":[ { "name":"serviceAccountName","exclude": { "resources": { "namespaces":["flux-system"]}},"match": { "resources": { "kinds":["Kustomization","HelmRelease"]}},"validate": { "message":".spec.serviceAccountName is required","pattern": { "spec": { "serviceAccountName":"?*"}}}}, { "name":"sourceRefNamespace","exclude": { "resources": { "namespaces":["flux-system"]}},"match": { "resources": { "kinds":["Kustomization","HelmRelease"]}},"validate": { "message":"spec.sourceRef.namespace must be the same as metadata.namespace","deny": { "conditions":[ { "key":" {{ request .object .spec .sourceRef .namespace }} ","operator":"NotEquals","value":" {{ request .object .metadata .namespace }} "}]}}}]}} ` ) ,
// referred variable path present with same value - validate passes
2021-09-27 23:40:05 -07:00
resourceRaw : [ ] byte ( ` { "apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata": { "name":"dev-team","namespace":"apps"},"spec": { "serviceAccountName":"dev-team","interval":"5m","sourceRef": { "kind":"GitRepository","name":"dev-team","namespace":"apps"},"prune":true,"validation":"client"}} ` ) ,
2023-01-30 12:41:09 +01:00
expectedResults : [ ] engineapi . RuleStatus { engineapi . RuleStatusPass , engineapi . RuleStatusPass } ,
2021-09-26 02:12:31 -07:00
expectedMessages : [ ] string { "validation rule 'serviceAccountName' passed." , "validation rule 'sourceRefNamespace' passed." } ,
2021-04-15 17:33:34 -07:00
} ,
}
for _ , test := range tests {
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2021-04-15 17:33:34 -07:00
assert . NilError ( t , json . Unmarshal ( test . policyRaw , & policy ) )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( test . resourceRaw )
2021-04-15 17:33:34 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
policyContext := newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy )
2023-02-08 14:19:56 +01:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , policyContext , cfg , nil )
2021-04-15 17:33:34 -07:00
for i , rule := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , er . PolicyResponse . Rules [ i ] . Status ( ) , test . expectedResults [ i ] , "\ntest %s failed\nexpected: %s\nactual: %s" , test . name , test . expectedResults [ i ] , er . PolicyResponse . Rules [ i ] . Status ( ) )
assert . Equal ( t , er . PolicyResponse . Rules [ i ] . Message ( ) , test . expectedMessages [ i ] , "\ntest %s failed\nexpected: %s\nactual: %s" , test . name , test . expectedMessages [ i ] , rule . Message ( ) )
2021-04-15 17:33:34 -07:00
}
}
}
2020-12-23 15:10:07 -08:00
type testCase struct {
description string
policy [ ] byte
request [ ] byte
userInfo [ ] byte
requestDenied bool
}
func Test_denyFeatureIssue744_BlockUpdate ( t * testing . T ) {
testcases := [ ] testCase {
2020-05-07 02:35:24 +05:30
{
description : "Blocks update requests for resources with label allow-updates(success case)" ,
2021-03-02 10:01:06 +05:30
policy : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata": { "name":"block-updates-success"},"spec": { "validationFailureAction":"enforce","background":false,"rules":[ { "name":"check-allow-updates","match": { "resources": { "selector": { "matchLabels": { "allow-updates":"false"}}}},"exclude": { "clusterRoles":["random"]},"validate": { "message":"Updating {{ request .object .kind }} / {{ request .object .metadata .name }} is not allowed","deny": { "conditions": { "all":[ { "key":" {{ request .operation }} ","operator":"Equals","value":"UPDATE"}]}}}}]}} ` ) ,
2020-05-19 10:32:42 -07:00
request : [ ] byte ( ` { "uid" : "7b0600b7-0258-4ecb-9666-c2839bd19612" , "kind" : { "group" : "" , "version" : "v1" , "kind" : "Pod" } , "resource" : { "group" : "" , "version" : "v1" , "resource" : "pods" } , "subResource" : "status" , "requestKind" : { "group" : "" , "version" : "v1" , "kind" : "Pod" } , "requestResource" : { "group" : "" , "version" : "v1" , "resource" : "pods" } , "requestSubResource" : "status" , "name" : "hello-world" , "namespace" : "default" , "operation" : "UPDATE" , "userInfo" : { "username" : "system:node:kind-control-plane" , "groups" : [ "system:authenticated" ] } , "object" : { "kind" : "Pod" , "apiVersion" : "v1" , "metadata" : { "name" : "hello-world" , "namespace" : "default" , "uid" : "2b42971e-6fcf-41a7-ae44-80963f957eae" , "resourceVersion" : "3438" , "creationTimestamp" : "2020-05-06T20:41:37Z" , "labels" : { "allow-updates" : "false" , "something" : "hereeeeeseee" } , "annotations" : { "kubectl.kubernetes.io/last-applied-configuration" : "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n" } } , "spec" : { "volumes" : [ { "name" : "default-token-4q2mj" , "secret" : { "secretName" : "default-token-4q2mj" , "defaultMode" : 420 } } ] , "containers" : [ { "name" : "hello-world" , "image" : "hello-world:latest" , "ports" : [ { "containerPort" : 80 , "protocol" : "TCP" } ] , "resources" : { "limits" : { "cpu" : "200m" , "memory" : "30Mi" } , "requests" : { "cpu" : "100m" , "memory" : "20Mi" } } , "volumeMounts" : [ { "name" : "default-token-4q2mj" , "readOnly" : true , "mountPath" : "/var/run/secrets/kubernetes.io/serviceaccount" } ] , "terminationMessagePath" : "/dev/termination-log" , "terminationMessagePolicy" : "File" , "imagePullPolicy" : "Always" } ] , "restartPolicy" : "Always" , "terminationGracePeriodSeconds" : 30 , "dnsPolicy" : "ClusterFirst" , "serviceAccountName" : "default" , "serviceAccount" : "default" , "nodeName" : "kind-control-plane" , "securityContext" : { } , "schedulerName" : "default-scheduler" , "tolerations" : [ { "key" : "node.kubernetes.io/not-ready" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } , { "key" : "node.kubernetes.io/unreachable" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } ] , "priority" : 0 , "enableServiceLinks" : true } , "status" : { "phase" : "Running" , "conditions" : [ { "type" : "Initialized" , "status" : "True" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:41:37Z" } , { "type" : "Ready" , "status" : "False" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:41:37Z" , "reason" : "ContainersNotReady" , "message" : "containers with unready status: [hello-world]" } , { "type" : "ContainersReady" , "status" : "False" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:41:37Z" , "reason" : "ContainersNotReady" , "message" : "containers with unready status: [hello-world]" } , { "type" : "PodScheduled" , "status" : "True" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:41:37Z" } ] , "hostIP" : "172.17.0.2" , "podIP" : "10.244.0.8" , "podIPs" : [ { "ip" : "10.244.0.8" } ] , "startTime" : "2020-05-06T20:41:37Z" , "containerStatuses" : [ { "name" : "hello-world" , "state" : { "terminated" : { "exitCode" : 0 , "reason" : "Completed" , "startedAt" : "2020-05-06T20:42:01Z" , "finishedAt" : "2020-05-06T20:42:01Z" , "containerID" : "containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4" } } , "lastState" : { } , "ready" : false , "restartCount" : 0 , "image" : "docker.io/library/hello-world:latest" , "imageID" : "docker.io/library/hello-world@sha256:8e3114318a995a1ee497790535e7b88365222a21771ae7e53687ad76563e8e76" , "containerID" : "containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4" , "started" : false } ] , "qosClass" : "Burstable" } } , "oldObject" : { "kind" : "Pod" , "apiVersion" : "v1" , "metadata" : { "name" : "hello-world" , "namespace" : "default" , "uid" : "2b42971e-6fcf-41a7-ae44-80963f957eae" , "resourceVersion" : "3438" , "creationTimestamp" : "2020-05-06T20:41:37Z" , "labels" : { "allow-updates" : "false" , "something" : "hereeeeeseee" } , "annotations" : { "kubectl.kubernetes.io/last-applied-configuration" : "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\" : { \
userInfo : [ ] byte ( ` { "roles":["kube-system:kubeadm:kubelet-config-1.17","kube-system:kubeadm:nodes-kubeadm-config"],"clusterRoles":["system:basic-user","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:discovery"],"userInfo": { "username":"kubernetes-admin","groups":["system:authenticated"]}} ` ) ,
requestDenied : true ,
2020-05-07 02:35:24 +05:30
} ,
{
description : "Blocks update requests for resources with label allow-updates(failure case)" ,
2021-03-02 10:01:06 +05:30
policy : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata": { "name":"block-updates-failure"},"spec": { "validationFailureAction":"enforce","background":false,"rules":[ { "name":"check-allow-deletes","match": { "resources": { "selector": { "matchLabels": { "allow-deletes":"false"}}}},"exclude": { "clusterRoles":["random"]},"validate": { "message":"Deleting {{ request .oldObject .kind }} / {{ request .oldObject .metadata .name }} is not allowed","deny": { "conditions": { "all":[ { "key":" {{ request .operation }} ","operator":"Equal","value":"DELETE"}]}}}}]}} ` ) ,
2020-05-07 02:35:24 +05:30
request : [ ] byte ( ` { "uid":"9c284cdb-b0de-42aa-adf5-649a44bc861b","kind": { "group":"","version":"v1","kind":"Pod"},"resource": { "group":"","version":"v1","resource":"pods"},"requestKind": { "group":"","version":"v1","kind":"Pod"},"requestResource": { "group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"CREATE","userInfo": { "username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object": { "kind":"Pod","apiVersion":"v1","metadata": { "name":"hello-world","namespace":"default","uid":"41a928a7-73f4-419f-bd64-de11f4f0a8ca","creationTimestamp":"2020-05-06T20:43:50Z","labels": { "allow-updates":"false","something":"hereeeeeseee"},"annotations": { "kubectl.kubernetes.io/last-applied-configuration":" { \"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\": { \"annotations\": { },\"labels\": { \"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\": { \"containers\":[ { \"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[ { \"containerPort\":80}],\"resources\": { \"limits\": { \"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\": { \"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec": { "volumes":[ { "name":"default-token-4q2mj","secret": { "secretName":"default-token-4q2mj"}}],"containers":[ { "name":"hello-world","image":"hello-world:latest","ports":[ { "containerPort":80,"protocol":"TCP"}],"resources": { "limits": { "cpu":"200m","memory":"30Mi"},"requests": { "cpu":"100m","memory":"20Mi"}},"volumeMounts":[ { "name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext": { },"schedulerName":"default-scheduler","tolerations":[ { "key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}, { "key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status": { "phase":"Pending","qosClass":"Burstable"}},"oldObject":null,"dryRun":false,"options": { "kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}} ` ) ,
userInfo : [ ] byte ( ` { "roles":null,"clusterRoles":["system:public-info-viewer","cluster-admin","system:discovery","system:basic-user"],"userInfo": { "username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}} ` ) ,
2020-05-19 10:32:42 -07:00
requestDenied : false ,
2020-05-07 02:35:24 +05:30
} ,
2020-12-23 15:10:07 -08:00
}
for _ , testcase := range testcases {
2022-05-15 02:34:35 +05:30
executeTest ( t , testcase )
2020-12-23 15:10:07 -08:00
}
}
func Test_denyFeatureIssue744_DenyAll ( t * testing . T ) {
testcases := [ ] testCase {
{
description : "Deny all requests on a namespace" ,
policy : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata": { "name":"block-request"},"spec": { "validationFailureAction":"enforce","rules":[ { "name":"block-request","match": { "resources": { "namespaces":["kube-system"]}},"validate": { "deny": { }}}]}} ` ) ,
request : [ ] byte ( ` { "uid" : "2cf2b192-2c25-4f14-ac3a-315408d398f2" , "kind" : { "group" : "" , "version" : "v1" , "kind" : "Pod" } , "resource" : { "group" : "" , "version" : "v1" , "resource" : "pods" } , "requestKind" : { "group" : "" , "version" : "v1" , "kind" : "Pod" } , "requestResource" : { "group" : "" , "version" : "v1" , "resource" : "pods" } , "name" : "hello-world" , "namespace" : "default" , "operation" : "UPDATE" , "userInfo" : { "username" : "kubernetes-admin" , "groups" : [ "system:masters" , "system:authenticated" ] } , "object" : { "kind" : "Pod" , "apiVersion" : "v1" , "metadata" : { "name" : "hello-world" , "namespace" : "default" , "uid" : "f5c33eaf-79d8-4bc0-8819-749b3606012c" , "resourceVersion" : "5470" , "creationTimestamp" : "2020-05-06T20:57:15Z" , "labels" : { "allow-updates" : "false" , "something" : "existes" , "something2" : "feeereeeeeeeee" } , "annotations" : { "kubectl.kubernetes.io/last-applied-configuration" : "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n" } } , "spec" : { "volumes" : [ { "name" : "default-token-4q2mj" , "secret" : { "secretName" : "default-token-4q2mj" , "defaultMode" : 420 } } ] , "containers" : [ { "name" : "hello-world" , "image" : "hello-world:latest" , "ports" : [ { "containerPort" : 80 , "protocol" : "TCP" } ] , "resources" : { "limits" : { "cpu" : "200m" , "memory" : "30Mi" } , "requests" : { "cpu" : "100m" , "memory" : "20Mi" } } , "volumeMounts" : [ { "name" : "default-token-4q2mj" , "readOnly" : true , "mountPath" : "/var/run/secrets/kubernetes.io/serviceaccount" } ] , "terminationMessagePath" : "/dev/termination-log" , "terminationMessagePolicy" : "File" , "imagePullPolicy" : "Always" } ] , "restartPolicy" : "Always" , "terminationGracePeriodSeconds" : 30 , "dnsPolicy" : "ClusterFirst" , "serviceAccountName" : "default" , "serviceAccount" : "default" , "nodeName" : "kind-control-plane" , "securityContext" : { } , "schedulerName" : "default-scheduler" , "tolerations" : [ { "key" : "node.kubernetes.io/not-ready" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } , { "key" : "node.kubernetes.io/unreachable" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } ] , "priority" : 0 , "enableServiceLinks" : true } , "status" : { "phase" : "Pending" , "conditions" : [ { "type" : "Initialized" , "status" : "True" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:57:15Z" } , { "type" : "Ready" , "status" : "False" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:57:15Z" , "reason" : "ContainersNotReady" , "message" : "containers with unready status: [hello-world]" } , { "type" : "ContainersReady" , "status" : "False" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:57:15Z" , "reason" : "ContainersNotReady" , "message" : "containers with unready status: [hello-world]" } , { "type" : "PodScheduled" , "status" : "True" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:57:15Z" } ] , "hostIP" : "172.17.0.2" , "startTime" : "2020-05-06T20:57:15Z" , "containerStatuses" : [ { "name" : "hello-world" , "state" : { "waiting" : { "reason" : "ContainerCreating" } } , "lastState" : { } , "ready" : false , "restartCount" : 0 , "image" : "hello-world:latest" , "imageID" : "" , "started" : false } ] , "qosClass" : "Burstable" } } , "oldObject" : { "kind" : "Pod" , "apiVersion" : "v1" , "metadata" : { "name" : "hello-world" , "namespace" : "default" , "uid" : "f5c33eaf-79d8-4bc0-8819-749b3606012c" , "resourceVersion" : "5470" , "creationTimestamp" : "2020-05-06T20:57:15Z" , "labels" : { "allow-updates" : "false" , "something" : "existes" , "something2" : "feeereeeeeeeee" } , "annotations" : { "kubectl.kubernetes.io/last-applied-configuration" : "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\" } } } ] }
userInfo : [ ] byte ( ` { "roles":null,"clusterRoles":null,"userInfo": { "username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}} ` ) ,
requestDenied : false ,
} ,
}
for _ , testcase := range testcases {
2022-05-15 02:34:35 +05:30
executeTest ( t , testcase )
2020-12-23 15:10:07 -08:00
}
}
func Test_denyFeatureIssue744_BlockFields ( t * testing . T ) {
testcases := [ ] testCase {
2020-05-07 02:35:24 +05:30
{
description : "Blocks certain fields(success case)" ,
2021-03-02 10:01:06 +05:30
policy : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata": { "name":"prevent-field-update-success"},"spec": { "validationFailureAction":"enforce","background":false,"rules":[ { "name":"prevent-field-update","match": { "resources": { "selector": { "matchLabels": { "allow-updates":"false"}}}},"validate": { "message":"Updating field label 'something' is not allowed","deny": { "conditions": { "all":[ { "key":" {{ request .object .metadata .labels .something }} ","operator":"NotEqual","value":""}, { "key":" {{ request .object .metadata .labels .something }} ","operator":"NotEquals","value":" {{ request .oldObject .metadata .labels .something }} "}]}}}}]}} ` ) ,
2020-05-07 02:35:24 +05:30
request : [ ] byte ( ` { "uid" : "11d46f83-a31b-444e-8209-c43b24f1af8a" , "kind" : { "group" : "" , "version" : "v1" , "kind" : "Pod" } , "resource" : { "group" : "" , "version" : "v1" , "resource" : "pods" } , "requestKind" : { "group" : "" , "version" : "v1" , "kind" : "Pod" } , "requestResource" : { "group" : "" , "version" : "v1" , "resource" : "pods" } , "name" : "hello-world" , "namespace" : "default" , "operation" : "UPDATE" , "userInfo" : { "username" : "kubernetes-admin" , "groups" : [ "system:masters" , "system:authenticated" ] } , "object" : { "kind" : "Pod" , "apiVersion" : "v1" , "metadata" : { "name" : "hello-world" , "namespace" : "default" , "uid" : "42bd0f0a-4b1f-4f7c-a40d-4dbed5522732" , "resourceVersion" : "4333" , "creationTimestamp" : "2020-05-06T20:51:58Z" , "labels" : { "allow-updates" : "false" , "something" : "existes" , "something2" : "feeereeeeeeeee" } , "annotations" : { "kubectl.kubernetes.io/last-applied-configuration" : "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n" } } , "spec" : { "volumes" : [ { "name" : "default-token-4q2mj" , "secret" : { "secretName" : "default-token-4q2mj" , "defaultMode" : 420 } } ] , "containers" : [ { "name" : "hello-world" , "image" : "hello-world:latest" , "ports" : [ { "containerPort" : 80 , "protocol" : "TCP" } ] , "resources" : { "limits" : { "cpu" : "200m" , "memory" : "30Mi" } , "requests" : { "cpu" : "100m" , "memory" : "20Mi" } } , "volumeMounts" : [ { "name" : "default-token-4q2mj" , "readOnly" : true , "mountPath" : "/var/run/secrets/kubernetes.io/serviceaccount" } ] , "terminationMessagePath" : "/dev/termination-log" , "terminationMessagePolicy" : "File" , "imagePullPolicy" : "Always" } ] , "restartPolicy" : "Always" , "terminationGracePeriodSeconds" : 30 , "dnsPolicy" : "ClusterFirst" , "serviceAccountName" : "default" , "serviceAccount" : "default" , "securityContext" : { } , "schedulerName" : "default-scheduler" , "tolerations" : [ { "key" : "node.kubernetes.io/not-ready" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } , { "key" : "node.kubernetes.io/unreachable" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } ] , "priority" : 0 , "enableServiceLinks" : true } , "status" : { "phase" : "Pending" , "qosClass" : "Burstable" } } , "oldObject" : { "kind" : "Pod" , "apiVersion" : "v1" , "metadata" : { "name" : "hello-world" , "namespace" : "default" , "uid" : "42bd0f0a-4b1f-4f7c-a40d-4dbed5522732" , "resourceVersion" : "4333" , "creationTimestamp" : "2020-05-06T20:51:58Z" , "labels" : { "allow-updates" : "false" , "something" : "exists" , "something2" : "feeereeeeeeeee" } , "annotations" : { "kubectl.kubernetes.io/last-applied-configuration" : "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"exists\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n" } } , "spec" : { "volumes" : [ { "name" : "default-token-4q2mj" , "secret" : { "secretName" : "default-token-4q2mj" , "defaultMode" : 420 } } ] , "containers" : [ { "name" : "hello-world" , "image" : "hello-world:latest" , "ports" : [ { "containerPort" : 80 , "protocol" : "TCP" } ] , "resources" : { "limits" : { "cpu" : "200m" , "memory" : "30Mi" } , "requests" : { "cpu" : "100m" , "memory" : "20Mi" } } , "volumeMounts" : [ { "name" : "default-token-4q2mj" , "readOnly" : true , "mountPath" : "/var/run/secrets/kubernetes.io/serviceaccount" } ] , "terminationMessagePath" : "/dev/termination-log" , "terminationMessagePolicy" : "File" , "imagePullPolicy" : "Always" } ] , "restartPolicy" : "Always" , "terminationGracePeriodSeconds" : 30 , "dnsPolicy" : "ClusterFirst" , "serviceAccountName" : "default" , "serviceAccount" : "default" , "securityContext" : { } , "schedulerName" : "default-scheduler" , "tolerations" : [ { "key" : "node.kubernetes.io/not-ready" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } , { "key" : " node
userInfo : [ ] byte ( ` { "roles":null,"clusterRoles":null,"userInfo": { "username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}} ` ) ,
2020-05-19 10:32:42 -07:00
requestDenied : true ,
2020-05-07 02:35:24 +05:30
} ,
{
description : "Blocks certain fields(failure case)" ,
2021-03-02 10:01:06 +05:30
policy : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata": { "name":"prevent-field-update-failure"},"spec": { "validationFailureAction":"enforce","background":false,"rules":[ { "name":"prevent-field-update","match": { "resources": { "selector": { "matchLabels": { "allow-updates":"false"}}}},"validate": { "message":"Updating field label 'something' is not allowed","deny": { "conditions": { "all":[ { "key":" {{ request .object .metadata .labels .something }} ","operator":"NotEqual","value":""}, { "key":" {{ request .object .metadata .labels .something }} ","operator":"NotEquals","value":" {{ request .oldObject .metadata .labels .something }} "}]}}}}]}} ` ) ,
2020-05-07 02:35:24 +05:30
request : [ ] byte ( ` { "uid":"cbdce9bb-741d-466a-a440-36155eb4b45b","kind": { "group":"","version":"v1","kind":"Pod"},"resource": { "group":"","version":"v1","resource":"pods"},"requestKind": { "group":"","version":"v1","kind":"Pod"},"requestResource": { "group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"kube-system","operation":"CREATE","userInfo": { "username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object": { "kind":"Pod","apiVersion":"v1","metadata": { "name":"hello-world","namespace":"kube-system","uid":"490c240c-f96a-4d5a-8860-75597bab0a7e","creationTimestamp":"2020-05-06T21:01:50Z","annotations": { "kubectl.kubernetes.io/last-applied-configuration":" { \"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\": { \"annotations\": { },\"name\":\"hello-world\",\"namespace\":\"kube-system\"},\"spec\": { \"containers\":[ { \"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[ { \"containerPort\":80}],\"resources\": { \"limits\": { \"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\": { \"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec": { "volumes":[ { "name":"default-token-8h2h8","secret": { "secretName":"default-token-8h2h8"}}],"containers":[ { "name":"hello-world","image":"hello-world:latest","ports":[ { "containerPort":80,"protocol":"TCP"}],"resources": { "limits": { "cpu":"200m","memory":"30Mi"},"requests": { "cpu":"100m","memory":"20Mi"}},"volumeMounts":[ { "name":"default-token-8h2h8","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext": { },"schedulerName":"default-scheduler","tolerations":[ { "key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}, { "key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status": { "phase":"Pending","qosClass":"Burstable"}},"oldObject":null,"dryRun":false,"options": { "kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}} ` ) ,
userInfo : [ ] byte ( ` { "roles":null,"clusterRoles":null,"userInfo": { "username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}} ` ) ,
2020-05-19 10:32:42 -07:00
requestDenied : false ,
2020-05-07 02:35:24 +05:30
} ,
2020-12-23 15:10:07 -08:00
}
for _ , testcase := range testcases {
2022-05-15 02:34:35 +05:30
executeTest ( t , testcase )
2020-12-23 15:10:07 -08:00
}
}
2020-12-23 15:57:12 -08:00
func Test_BlockLabelRemove ( t * testing . T ) {
testcases := [ ] testCase {
{
2023-05-19 05:57:57 +08:00
description : "Blocks certain fields(success case)" ,
policy : [ ] byte ( `
{
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "prevent-label-remove"
} ,
"spec" : {
"background" : false ,
"rules" : [
{
"name" : "prevent-field-update" ,
"match" : {
"resources" : {
"kinds" : [
"*"
]
}
} ,
"preconditions" : {
"any" : [
{
"key" : "{{ request.object.metadata.labels.\"allow-updates\" }} | '' " ,
"operator" : "Equals" ,
"value" : "false"
} ,
{
"key" : "{{ request.oldObject.metadata.labels.\"allow-updates\" }} | '' " ,
"operator" : "Equals" ,
"value" : "false"
}
]
} ,
"validate" : {
2024-08-27 23:07:57 +03:00
"failureAction" : "enforce" ,
2023-05-19 05:57:57 +08:00
"message" : "not allowed" ,
"deny" : {
"conditions" : {
"all" : [
{
"key" : "{{ request.operation }}" ,
"operator" : "In" ,
"value" : [
"DELETE" ,
"UPDATE"
]
}
]
}
}
}
}
]
}
} ` ) ,
2020-12-23 15:57:12 -08:00
request : [ ] byte ( ` { "uid" : "11d46f83-a31b-444e-8209-c43b24f1af8a" , "kind" : { "group" : "" , "version" : "v1" , "kind" : "Pod" } , "resource" : { "group" : "" , "version" : "v1" , "resource" : "pods" } , "requestKind" : { "group" : "" , "version" : "v1" , "kind" : "Pod" } , "requestResource" : { "group" : "" , "version" : "v1" , "resource" : "pods" } , "name" : "hello-world" , "namespace" : "default" , "operation" : "UPDATE" , "userInfo" : { "username" : "kubernetes-admin" , "groups" : [ "system:masters" , "system:authenticated" ] } , "object" : { "kind" : "Pod" , "apiVersion" : "v1" , "metadata" : { "name" : "hello-world" , "namespace" : "default" , "uid" : "42bd0f0a-4b1f-4f7c-a40d-4dbed5522732" , "resourceVersion" : "4333" , "creationTimestamp" : "2020-05-06T20:51:58Z" , "labels" : { "something" : "exists" , "something2" : "feeereeeeeeeee" } , "annotations" : { "kubectl.kubernetes.io/last-applied-configuration" : "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n" } } , "spec" : { "volumes" : [ { "name" : "default-token-4q2mj" , "secret" : { "secretName" : "default-token-4q2mj" , "defaultMode" : 420 } } ] , "containers" : [ { "name" : "hello-world" , "image" : "hello-world:latest" , "ports" : [ { "containerPort" : 80 , "protocol" : "TCP" } ] , "resources" : { "limits" : { "cpu" : "200m" , "memory" : "30Mi" } , "requests" : { "cpu" : "100m" , "memory" : "20Mi" } } , "volumeMounts" : [ { "name" : "default-token-4q2mj" , "readOnly" : true , "mountPath" : "/var/run/secrets/kubernetes.io/serviceaccount" } ] , "terminationMessagePath" : "/dev/termination-log" , "terminationMessagePolicy" : "File" , "imagePullPolicy" : "Always" } ] , "restartPolicy" : "Always" , "terminationGracePeriodSeconds" : 30 , "dnsPolicy" : "ClusterFirst" , "serviceAccountName" : "default" , "serviceAccount" : "default" , "securityContext" : { } , "schedulerName" : "default-scheduler" , "tolerations" : [ { "key" : "node.kubernetes.io/not-ready" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } , { "key" : "node.kubernetes.io/unreachable" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } ] , "priority" : 0 , "enableServiceLinks" : true } , "status" : { "phase" : "Pending" , "qosClass" : "Burstable" } } , "oldObject" : { "kind" : "Pod" , "apiVersion" : "v1" , "metadata" : { "name" : "hello-world" , "namespace" : "default" , "uid" : "42bd0f0a-4b1f-4f7c-a40d-4dbed5522732" , "resourceVersion" : "4333" , "creationTimestamp" : "2020-05-06T20:51:58Z" , "labels" : { "allow-updates" : "false" , "something" : "exists" , "something2" : "feeereeeeeeeee" } , "annotations" : { "kubectl.kubernetes.io/last-applied-configuration" : "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"exists\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n" } } , "spec" : { "volumes" : [ { "name" : "default-token-4q2mj" , "secret" : { "secretName" : "default-token-4q2mj" , "defaultMode" : 420 } } ] , "containers" : [ { "name" : "hello-world" , "image" : "hello-world:latest" , "ports" : [ { "containerPort" : 80 , "protocol" : "TCP" } ] , "resources" : { "limits" : { "cpu" : "200m" , "memory" : "30Mi" } , "requests" : { "cpu" : "100m" , "memory" : "20Mi" } } , "volumeMounts" : [ { "name" : "default-token-4q2mj" , "readOnly" : true , "mountPath" : "/var/run/secrets/kubernetes.io/serviceaccount" } ] , "terminationMessagePath" : "/dev/termination-log" , "terminationMessagePolicy" : "File" , "imagePullPolicy" : "Always" } ] , "restartPolicy" : "Always" , "terminationGracePeriodSeconds" : 30 , "dnsPolicy" : "ClusterFirst" , "serviceAccountName" : "default" , "serviceAccount" : "default" , "securityContext" : { } , "schedulerName" : "default-scheduler" , "tolerations" : [ { "key" : "node.kubernetes.io/not-ready" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } , { "key" : " node . kubernetes . io / unreachabl
userInfo : [ ] byte ( ` { "roles":null,"clusterRoles":null,"userInfo": { "username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}} ` ) ,
requestDenied : true ,
} ,
}
for _ , testcase := range testcases {
2022-05-15 02:34:35 +05:30
executeTest ( t , testcase )
2020-12-23 15:57:12 -08:00
}
}
2020-12-23 15:10:07 -08:00
func Test_denyFeatureIssue744_BlockDelete ( t * testing . T ) {
testcases := [ ] testCase {
2020-05-07 02:35:24 +05:30
{
2020-12-23 15:10:07 -08:00
description : "Blocks delete requests for resources with label allow-deletes(success case)" ,
2021-03-02 10:01:06 +05:30
policy : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata": { "name":"block-deletes-success"},"spec": { "validationFailureAction":"enforce","background":false,"rules":[ { "name":"check-allow-deletes","match": { "resources": { "selector": { "matchLabels": { "allow-deletes":"false"}}}},"exclude": { "clusterRoles":["random"]},"validate": { "message":"Deleting {{ request .oldObject .kind }} / {{ request .oldObject .metadata .name }} is not allowed","deny": { "conditions": { "all":[ { "key":" {{ request .operation }} ","operator":"Equal","value":"DELETE"}]}}}}]}} ` ) ,
2020-12-23 15:10:07 -08:00
request : [ ] byte ( ` { "uid":"b553344a-172a-4257-8ec4-a8f379f8b844","kind": { "group":"","version":"v1","kind":"Pod"},"resource": { "group":"","version":"v1","resource":"pods"},"requestKind": { "group":"","version":"v1","kind":"Pod"},"requestResource": { "group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"DELETE","userInfo": { "username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":null,"oldObject": { "kind":"Pod","apiVersion":"v1","metadata": { "name":"hello-world","namespace":"default","uid":"f093e3da-f13a-474f-87e8-43e98fe363bf","resourceVersion":"1983","creationTimestamp":"2020-05-06T20:28:43Z","labels": { "allow-deletes":"false"},"annotations": { "kubectl.kubernetes.io/last-applied-configuration":" { \"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\": { \"annotations\": { },\"labels\": { \"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\": { \"containers\":[ { \"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[ { \"containerPort\":80}],\"resources\": { \"limits\": { \"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\": { \"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec": { "volumes":[ { "name":"default-token-4q2mj","secret": { "secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[ { "name":"hello-world","image":"hello-world:latest","ports":[ { "containerPort":80,"protocol":"TCP"}],"resources": { "limits": { "cpu":"200m","memory":"30Mi"},"requests": { "cpu":"100m","memory":"20Mi"}},"volumeMounts":[ { "name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext": { },"schedulerName":"default-scheduler","tolerations":[ { "key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}, { "key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status": { "phase":"Pending","conditions":[ { "type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z"}, { "type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"}, { "type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"}, { "type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:28:43Z","containerStatuses":[ { "name":"hello-world","state": { "waiting": { "reason":"ContainerCreating"}},"lastState": { },"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options": { "kind":"DeleteOptions","apiVersion":"meta.k8s.io/v1","gracePeriodSeconds":30,"propagationPolicy":"Background"}} ` ) ,
userInfo : [ ] byte ( ` { "roles":null,"clusterRoles":["cluster-admin","system:basic-user","system:discovery","system:public-info-viewer"],"userInfo": { "username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}} ` ) ,
requestDenied : true ,
} ,
{
description : "Blocks delete requests for resources with label allow-deletes(failure case)" ,
2021-03-02 10:01:06 +05:30
policy : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata": { "name":"block-deletes-failure"},"spec": { "validationFailureAction":"enforce","background":false,"rules":[ { "name":"check-allow-deletes","match": { "resources": { "selector": { "matchLabels": { "allow-deletes":"false"}}}},"exclude": { "clusterRoles":["random"]},"validate": { "message":"Deleting {{ request .oldObject .kind }} / {{ request .oldObject .metadata .name }} is not allowed","deny": { "conditions": { "all":[ { "key":" {{ request .operation }} ","operator":"Equal","value":"DELETE"}]}}}}]}} ` ) ,
2020-12-23 15:10:07 -08:00
request : [ ] byte ( ` { "uid" : "9a83234d-95d1-4105-b6bf-7d72fd0183ce" , "kind" : { "group" : "" , "version" : "v1" , "kind" : "Pod" } , "resource" : { "group" : "" , "version" : "v1" , "resource" : "pods" } , "subResource" : "status" , "requestKind" : { "group" : "" , "version" : "v1" , "kind" : "Pod" } , "requestResource" : { "group" : "" , "version" : "v1" , "resource" : "pods" } , "requestSubResource" : "status" , "name" : "hello-world" , "namespace" : "default" , "operation" : "UPDATE" , "userInfo" : { "username" : "system:node:kind-control-plane" , "groups" : [ "system:nodes" , "system:authenticated" ] } , "object" : { "kind" : "Pod" , "apiVersion" : "v1" , "metadata" : { "name" : "hello-world" , "namespace" : "default" , "uid" : "10fb7e1f-3710-43fa-9b7d-fc532b5ff70e" , "resourceVersion" : "2829" , "creationTimestamp" : "2020-05-06T20:36:51Z" , "labels" : { "allow-deletes" : "false" } , "annotations" : { "kubectl.kubernetes.io/last-applied-configuration" : "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n" } } , "spec" : { "volumes" : [ { "name" : "default-token-4q2mj" , "secret" : { "secretName" : "default-token-4q2mj" , "defaultMode" : 420 } } ] , "containers" : [ { "name" : "hello-world" , "image" : "hello-world:latest" , "ports" : [ { "containerPort" : 80 , "protocol" : "TCP" } ] , "resources" : { "limits" : { "cpu" : "200m" , "memory" : "30Mi" } , "requests" : { "cpu" : "100m" , "memory" : "20Mi" } } , "volumeMounts" : [ { "name" : "default-token-4q2mj" , "readOnly" : true , "mountPath" : "/var/run/secrets/kubernetes.io/serviceaccount" } ] , "terminationMessagePath" : "/dev/termination-log" , "terminationMessagePolicy" : "File" , "imagePullPolicy" : "Always" } ] , "restartPolicy" : "Always" , "terminationGracePeriodSeconds" : 30 , "dnsPolicy" : "ClusterFirst" , "serviceAccountName" : "default" , "serviceAccount" : "default" , "nodeName" : "kind-control-plane" , "securityContext" : { } , "schedulerName" : "default-scheduler" , "tolerations" : [ { "key" : "node.kubernetes.io/not-ready" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } , { "key" : "node.kubernetes.io/unreachable" , "operator" : "Exists" , "effect" : "NoExecute" , "tolerationSeconds" : 300 } ] , "priority" : 0 , "enableServiceLinks" : true } , "status" : { "phase" : "Pending" , "conditions" : [ { "type" : "Initialized" , "status" : "True" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:36:51Z" } , { "type" : "Ready" , "status" : "False" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:36:51Z" , "reason" : "ContainersNotReady" , "message" : "containers with unready status: [hello-world]" } , { "type" : "ContainersReady" , "status" : "False" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:36:51Z" , "reason" : "ContainersNotReady" , "message" : "containers with unready status: [hello-world]" } , { "type" : "PodScheduled" , "status" : "True" , "lastProbeTime" : null , "lastTransitionTime" : "2020-05-06T20:36:51Z" } ] , "hostIP" : "172.17.0.2" , "startTime" : "2020-05-06T20:36:51Z" , "containerStatuses" : [ { "name" : "hello-world" , "state" : { "waiting" : { "reason" : "ContainerCreating" } } , "lastState" : { } , "ready" : false , "restartCount" : 0 , "image" : "hello-world:latest" , "imageID" : "" , "started" : false } ] , "qosClass" : "Burstable" } } , "oldObject" : { "kind" : "Pod" , "apiVersion" : "v1" , "metadata" : { "name" : "hello-world" , "namespace" : "default" , "uid" : "10fb7e1f-3710-43fa-9b7d-fc532b5ff70e" , "resourceVersion" : "2829" , "creationTimestamp" : "2020-05-06T20:36:51Z" , "labels" : { "allow-deletes" : "false" } , "annotations" : { "kubectl.kubernetes.io/last-applied-configuration" : "{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n" } } , "spec" : { "volumes" : [ { "name" : "default-token-4q2mj" , "secret" : { "secretName" : "default-token-4q2mj" , "defaultMode" : 420 } } ] , "containers" : [ { "name" : "hello-world" , "
userInfo : [ ] byte ( ` { "roles":["kube-system:kubeadm:nodes-kubeadm-config","kube-system:kubeadm:kubelet-config-1.17"],"clusterRoles":["system:discovery","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:basic-user"],"userInfo": { "username":"kubernetes-admin","groups":["system:nodes","system:authenticated"]}} ` ) ,
2020-05-19 10:32:42 -07:00
requestDenied : false ,
2020-05-07 02:35:24 +05:30
} ,
}
for _ , testcase := range testcases {
2022-05-15 02:34:35 +05:30
executeTest ( t , testcase )
2020-12-23 15:10:07 -08:00
}
}
2020-05-07 02:35:24 +05:30
2022-05-15 02:34:35 +05:30
func executeTest ( t * testing . T , test testCase ) {
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2022-05-15 02:34:35 +05:30
err := json . Unmarshal ( test . policy , & policy )
2020-12-23 15:10:07 -08:00
if err != nil {
t . Fatal ( err )
}
2020-05-07 02:35:24 +05:30
2023-04-04 07:11:18 +02:00
var request admissionv1 . AdmissionRequest
2020-12-23 15:10:07 -08:00
err = json . Unmarshal ( test . request , & request )
if err != nil {
t . Fatal ( err )
}
2020-05-07 02:35:24 +05:30
2024-06-20 11:44:43 +02:00
var userInfo kyvernov2 . RequestInfo
2020-12-23 15:10:07 -08:00
err = json . Unmarshal ( test . userInfo , & userInfo )
if err != nil {
t . Fatal ( err )
}
2020-05-07 02:35:24 +05:30
2023-01-03 10:33:09 +01:00
newR , oldR , err := admissionutils . ExtractResources ( nil , request )
2020-12-23 15:10:07 -08:00
if err != nil {
t . Fatal ( err )
}
2023-12-03 23:35:36 -08:00
pc := newPolicyContext ( t , newR , kyvernov1 . AdmissionOperation ( request . Operation ) , & userInfo ) .
2023-03-24 17:24:00 +01:00
WithPolicy ( & policy ) .
2023-05-12 16:14:48 +02:00
WithOldResource ( oldR )
2020-05-19 10:32:42 -07:00
2023-02-08 14:19:56 +01:00
resp := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , pc , cfg , nil )
2020-12-23 15:10:07 -08:00
if resp . IsSuccessful ( ) && test . requestDenied {
2020-05-19 10:32:42 -07:00
t . Errorf ( "Testcase has failed, policy: %v" , policy . Name )
2020-05-07 02:35:24 +05:30
}
}
2021-04-29 22:39:44 +05:30
func TestValidate_context_variable_substitution_CLI ( t * testing . T ) {
rawPolicy := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "restrict-pod-count"
} ,
"spec" : {
"background" : false ,
"rules" : [
{
"name" : "restrict-pod-count" ,
"match" : {
"resources" : {
"kinds" : [
"Pod"
]
}
} ,
"context" : [
{
"name" : "podcounts" ,
"apiCall" : {
"urlPath" : "/api/v1/pods" ,
"jmesPath" : "items[?spec.nodeName=='minikube'] | length(@)"
}
}
] ,
"validate" : {
2024-08-27 23:07:57 +03:00
"failureAction" : "enforce" ,
2021-04-29 22:39:44 +05:30
"message" : "restrict pod counts to be no more than 10 on node minikube" ,
"deny" : {
"conditions" : [
{
"key" : "{{ podcounts }}" ,
"operator" : "GreaterThanOrEquals" ,
"value" : 10
}
]
}
}
}
]
}
}
` )
rawResource := [ ] byte ( `
{
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "nginx-config-test"
} ,
"spec" : {
"containers" : [
{
"image" : "nginx:latest" ,
"name" : "test-nginx"
}
]
}
}
` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2021-04-29 22:39:44 +05:30
err := json . Unmarshal ( rawPolicy , & policy )
assert . NilError ( t , err )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( rawResource )
2021-04-29 22:39:44 +05:30
assert . NilError ( t , err )
msgs := [ ] string {
"restrict pod counts to be no more than 10 on node minikube" ,
}
2023-06-26 22:46:30 +02:00
ctxLoaderFactory := factories . DefaultContextLoaderFactory (
nil ,
factories . WithInitializer ( func ( jsonContext enginecontext . Interface ) error {
if err := jsonContext . AddVariable ( "podcounts" , "12" ) ; err != nil {
return err
}
return nil
} ) ,
)
2023-02-08 14:19:56 +01:00
er := testValidate (
context . TODO ( ) ,
registryclient . NewOrDie ( ) ,
2023-06-26 22:46:30 +02:00
newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) ,
2023-02-08 14:19:56 +01:00
cfg ,
2023-06-26 22:46:30 +02:00
ctxLoaderFactory ,
2023-02-08 14:19:56 +01:00
)
2021-04-29 22:39:44 +05:30
for index , r := range er . PolicyResponse . Rules {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , r . Message ( ) , msgs [ index ] )
2021-04-29 22:39:44 +05:30
}
assert . Assert ( t , ! er . IsSuccessful ( ) )
}
2021-07-28 19:54:50 +03:00
func Test_EmptyStringInDenyCondition ( t * testing . T ) {
policyRaw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"annotations" : {
"meta.helm.sh/release-name" : "kyverno-policies" ,
"meta.helm.sh/release-namespace" : "kyverno" ,
"pod-policies.kyverno.io/autogen-controllers" : "none"
} ,
"labels" : {
"app.kubernetes.io/managed-by" : "Helm"
} ,
"name" : "if-baltic-restrict-external-load-balancer"
} ,
"spec" : {
"background" : true ,
"rules" : [
{
"match" : {
"resources" : {
"kinds" : [
"Service"
]
}
} ,
"name" : "match-service-type" ,
"preconditions" : [
{
"key" : "{{request.object.spec.type}}" ,
"operator" : "Equals" ,
"value" : "LoadBalancer"
}
] ,
"validate" : {
2024-08-27 23:07:57 +03:00
"failureAction" : "enforce" ,
2021-07-28 19:54:50 +03:00
"deny" : {
"conditions" : [
{
"key" : "{{ request.object.metadata.annotations.\"service.beta.kubernetes.io/azure-load-balancer-internal\"}}" ,
"operator" : "NotEquals" ,
"value" : "true"
}
]
}
}
}
2024-08-06 21:24:28 +03:00
]
2021-07-28 19:54:50 +03:00
}
} ` )
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Service" ,
"metadata" : {
"name" : "example-service"
} ,
"spec" : {
"selector" : {
"app" : "example"
} ,
"ports" : [
{
"port" : 8765 ,
"targetPort" : 9376
}
] ,
"type" : "LoadBalancer"
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2021-07-28 19:54:50 +03:00
err := json . Unmarshal ( policyRaw , & policy )
assert . NilError ( t , err )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( resourceRaw )
2021-07-28 19:54:50 +03:00
assert . NilError ( t , err )
2023-03-24 17:24:00 +01:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) ,
2023-06-26 22:46:30 +02:00
newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) .
2023-05-12 16:14:48 +02:00
WithPolicy ( & policy ) ,
2023-03-24 17:24:00 +01:00
cfg , nil )
2021-07-28 19:54:50 +03:00
assert . Assert ( t , ! er . IsSuccessful ( ) )
}
func Test_StringInDenyCondition ( t * testing . T ) {
policyRaw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"annotations" : {
"meta.helm.sh/release-name" : "kyverno-policies" ,
"meta.helm.sh/release-namespace" : "kyverno" ,
"pod-policies.kyverno.io/autogen-controllers" : "none"
} ,
"labels" : {
"app.kubernetes.io/managed-by" : "Helm"
} ,
"name" : "if-baltic-restrict-external-load-balancer"
} ,
"spec" : {
"background" : true ,
"rules" : [
{
"match" : {
"resources" : {
"kinds" : [
"Service"
]
}
} ,
"name" : "match-service-type" ,
"preconditions" : [
{
"key" : "{{request.object.spec.type}}" ,
"operator" : "Equals" ,
"value" : "LoadBalancer"
}
] ,
"validate" : {
2024-08-27 23:07:57 +03:00
"failureAction" : "enforce" ,
2021-07-28 19:54:50 +03:00
"deny" : {
"conditions" : [
{
"key" : "{{ request.object.metadata.annotations.\"service.beta.kubernetes.io/azure-load-balancer-internal\"}}" ,
"operator" : "NotEquals" ,
"value" : "true"
}
]
}
}
}
2024-08-06 21:24:28 +03:00
]
2021-07-28 19:54:50 +03:00
}
} ` )
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Service" ,
"metadata" : {
"name" : "example-service" ,
"annotations" : {
"service.beta.kubernetes.io/azure-load-balancer-internal" : "true"
}
} ,
"spec" : {
"selector" : {
"app" : "example"
} ,
"ports" : [
{
"port" : 8765 ,
"targetPort" : 9376
}
] ,
"type" : "LoadBalancer"
}
} ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2021-07-28 19:54:50 +03:00
err := json . Unmarshal ( policyRaw , & policy )
assert . NilError ( t , err )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( resourceRaw )
2021-07-28 19:54:50 +03:00
assert . NilError ( t , err )
2023-03-24 17:24:00 +01:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) ,
2023-06-26 22:46:30 +02:00
newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) .
2023-05-12 16:14:48 +02:00
WithPolicy ( & policy ) ,
2023-03-24 17:24:00 +01:00
cfg , nil )
2021-07-28 19:54:50 +03:00
assert . Assert ( t , er . IsSuccessful ( ) )
}
2021-09-27 14:28:55 -07:00
func Test_foreach_container_pass ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : { "name" : "test" } ,
"spec" : { "template" : { "spec" : {
"containers" : [
{ "name" : "pod1-valid" , "image" : "nginx/nginx:v1" } ,
{ "name" : "pod2-valid" , "image" : "nginx/nginx:v2" } ,
{ "name" : "pod3-valid" , "image" : "nginx/nginx:v3" }
]
} } } } ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
2021-10-14 12:50:52 +05:30
"metadata" : {
"name" : "test"
} ,
2021-09-27 14:28:55 -07:00
"spec" : {
"rules" : [
{
"name" : "test-path-not-exist" ,
2021-10-14 12:50:52 +05:30
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
2021-09-27 14:28:55 -07:00
"validate" : {
2021-10-14 12:50:52 +05:30
"foreach" : [
{
"list" : "request.object.spec.template.spec.containers" ,
"pattern" : {
"name" : "*-valid"
}
2021-09-27 14:28:55 -07:00
}
2021-10-14 12:50:52 +05:30
]
}
}
]
}
} ` )
2021-09-27 14:28:55 -07:00
2023-02-08 14:19:56 +01:00
testForEach ( t , policyraw , resourceRaw , "" , engineapi . RuleStatusPass , nil )
2021-09-27 14:28:55 -07:00
}
func Test_foreach_container_fail ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : { "name" : "test" } ,
"spec" : { "template" : { "spec" : {
"containers" : [
{ "name" : "pod1-valid" , "image" : "nginx/nginx:v1" } ,
{ "name" : "pod2-invalid" , "image" : "nginx/nginx:v2" } ,
{ "name" : "pod3-valid" , "image" : "nginx/nginx:v3" }
]
} } } } ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : { "name" : "test" } ,
"spec" : {
"rules" : [
{
"name" : "test" ,
"match" : { "resources" : { "kinds" : [ "Deployment" ] } } ,
"validate" : {
2021-10-14 12:50:52 +05:30
"foreach" : [
{
"list" : "request.object.spec.template.spec.containers" ,
"pattern" : {
"name" : "*-valid"
}
2021-09-27 14:28:55 -07:00
}
2021-10-14 12:50:52 +05:30
]
2021-09-27 14:28:55 -07:00
} } ] } } ` )
2023-02-08 14:19:56 +01:00
testForEach ( t , policyraw , resourceRaw , "" , engineapi . RuleStatusFail , nil )
2021-09-27 14:28:55 -07:00
}
func Test_foreach_container_deny_fail ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : { "name" : "test" } ,
"spec" : { "template" : { "spec" : {
"containers" : [
{ "name" : "pod1-valid" , "image" : "nginx/nginx:v1" } ,
{ "name" : "pod2-invalid" , "image" : "docker.io/nginx/nginx:v2" } ,
{ "name" : "pod3-valid" , "image" : "nginx/nginx:v3" }
]
} } } } ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
2021-10-14 12:50:52 +05:30
"metadata" : {
"name" : "test"
} ,
2021-09-27 14:28:55 -07:00
"spec" : {
"rules" : [
{
"name" : "test" ,
2021-10-14 12:50:52 +05:30
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
2021-09-27 14:28:55 -07:00
"validate" : {
2021-10-14 12:50:52 +05:30
"foreach" : [
{
"list" : "request.object.spec.template.spec.containers" ,
"deny" : {
"conditions" : [
{
"key" : "{{ regex_match('{{element.image}}', 'docker.io') }}" ,
"operator" : "Equals" ,
"value" : false
}
]
}
2021-09-27 14:28:55 -07:00
}
2021-10-14 12:50:52 +05:30
]
}
}
]
}
} ` )
2021-09-27 14:28:55 -07:00
2023-02-08 14:19:56 +01:00
testForEach ( t , policyraw , resourceRaw , "" , engineapi . RuleStatusFail , nil )
2021-09-27 14:28:55 -07:00
}
func Test_foreach_container_deny_success ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : { "name" : "test" } ,
"spec" : { "template" : { "spec" : {
"containers" : [
{ "name" : "pod1-valid" , "image" : "nginx/nginx:v1" } ,
{ "name" : "pod2-invalid" , "image" : "nginx/nginx:v2" } ,
{ "name" : "pod3-valid" , "image" : "nginx/nginx:v3" }
]
} } } } ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : { "name" : "test" } ,
"spec" : {
"rules" : [
{
"name" : "test" ,
"match" : { "resources" : { "kinds" : [ "Deployment" ] } } ,
"validate" : {
2021-10-14 12:50:52 +05:30
"foreach" : [
{
"list" : "request.object.spec.template.spec.containers" ,
"deny" : {
"conditions" : [
{
"key" : "{{ regex_match('{{element.image}}', 'docker.io') }}" ,
"operator" : "Equals" ,
"value" : false
}
]
}
2021-09-27 14:28:55 -07:00
}
2021-10-14 12:50:52 +05:30
]
2021-09-27 14:28:55 -07:00
} } ] } } ` )
2023-02-08 14:19:56 +01:00
testForEach ( t , policyraw , resourceRaw , "" , engineapi . RuleStatusFail , nil )
2021-09-27 14:28:55 -07:00
}
func Test_foreach_container_deny_error ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : { "name" : "test" } ,
"spec" : { "template" : { "spec" : {
"containers" : [
{ "name" : "pod1-valid" , "image" : "nginx/nginx:v1" } ,
{ "name" : "pod2-invalid" , "image" : "nginx/nginx:v2" } ,
{ "name" : "pod3-valid" , "image" : "nginx/nginx:v3" }
]
} } } } ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
2021-10-14 12:50:52 +05:30
"metadata" : {
"name" : "test"
} ,
2021-09-27 14:28:55 -07:00
"spec" : {
"rules" : [
{
"name" : "test" ,
2021-10-14 12:50:52 +05:30
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
2021-09-27 14:28:55 -07:00
"validate" : {
2021-10-14 12:50:52 +05:30
"foreach" : [
{
"list" : "request.object.spec.template.spec.containers" ,
"deny" : {
"conditions" : [
{
"key" : "{{ regex_match_INVALID('{{request.object.image}}', 'docker.io') }}" ,
"operator" : "Equals" ,
"value" : false
}
]
}
2021-09-27 14:28:55 -07:00
}
2021-10-14 12:50:52 +05:30
]
}
}
]
}
} ` )
2021-09-27 14:28:55 -07:00
2023-02-08 14:19:56 +01:00
testForEach ( t , policyraw , resourceRaw , "" , engineapi . RuleStatusError , nil )
2021-09-27 14:28:55 -07:00
}
func Test_foreach_context_preconditions ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : { "name" : "test" } ,
"spec" : { "template" : { "spec" : {
"containers" : [
2021-09-27 23:40:05 -07:00
{ "name" : "podvalid" , "image" : "nginx/nginx:v1" } ,
{ "name" : "podinvalid" , "image" : "nginx/nginx:v2" }
2021-09-27 14:28:55 -07:00
]
} } } } ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
2021-10-14 12:50:52 +05:30
"metadata" : {
"name" : "test"
} ,
2021-09-27 14:28:55 -07:00
"spec" : {
"rules" : [
{
"name" : "test" ,
2021-10-14 12:50:52 +05:30
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
2021-09-27 14:28:55 -07:00
"validate" : {
2021-10-14 12:50:52 +05:30
"foreach" : [
{
"list" : "request.object.spec.template.spec.containers" ,
"context" : [
{
"name" : "img" ,
"configMap" : {
"name" : "mycmap" ,
"namespace" : "default"
}
}
] ,
"preconditions" : {
"all" : [
{
"key" : "{{element.name}}" ,
"operator" : "In" ,
"value" : [
"podvalid"
]
}
]
} ,
"deny" : {
"conditions" : [
{
"key" : "{{ element.image }}" ,
"operator" : "NotEquals" ,
"value" : "{{ img.data.{{ element.name }} }}"
}
]
2021-09-27 14:28:55 -07:00
}
}
2021-10-14 12:50:52 +05:30
]
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
ctxLoaderFactory := factories . DefaultContextLoaderFactory (
nil ,
factories . WithInitializer ( func ( jsonContext enginecontext . Interface ) error {
if err := jsonContext . AddVariable ( "img.data.podvalid" , "nginx/nginx:v1" ) ; err != nil {
return err
}
if err := jsonContext . AddVariable ( "img.data.podinvalid" , "nginx/nginx:v2" ) ; err != nil {
return err
}
return nil
} ) ,
)
2023-02-08 14:19:56 +01:00
testForEach (
t ,
policyraw ,
resourceRaw ,
"" ,
engineapi . RuleStatusPass ,
2023-06-26 22:46:30 +02:00
ctxLoaderFactory ,
2023-01-30 16:30:47 +01:00
)
2021-09-27 14:28:55 -07:00
}
func Test_foreach_context_preconditions_fail ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : { "name" : "test" } ,
"spec" : { "template" : { "spec" : {
"containers" : [
2021-09-27 23:40:05 -07:00
{ "name" : "podvalid" , "image" : "nginx/nginx:v1" } ,
{ "name" : "podinvalid" , "image" : "nginx/nginx:v2" }
2021-09-27 14:28:55 -07:00
]
} } } } ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
2021-10-14 12:50:52 +05:30
"metadata" : {
"name" : "test"
} ,
2021-09-27 14:28:55 -07:00
"spec" : {
"rules" : [
{
"name" : "test" ,
2021-10-14 12:50:52 +05:30
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
2021-09-27 14:28:55 -07:00
"validate" : {
2021-10-14 12:50:52 +05:30
"foreach" : [
{
"list" : "request.object.spec.template.spec.containers" ,
"context" : [
{
"name" : "img" ,
"configMap" : {
"name" : "mycmap" ,
"namespace" : "default"
}
}
] ,
"preconditions" : {
"all" : [
{
"key" : "{{element.name}}" ,
"operator" : "In" ,
"value" : [
"podvalid" ,
"podinvalid"
]
}
]
} ,
"deny" : {
"conditions" : [
{
"key" : "{{ element.image }}" ,
"operator" : "NotEquals" ,
"value" : "{{ img.data.{{ element.name }} }}"
}
]
2021-09-27 14:28:55 -07:00
}
}
2021-10-14 12:50:52 +05:30
]
}
}
]
}
} ` )
2023-06-26 22:46:30 +02:00
ctxLoaderFactory := factories . DefaultContextLoaderFactory (
nil ,
factories . WithInitializer ( func ( jsonContext enginecontext . Interface ) error {
if err := jsonContext . AddVariable ( "img.data.podvalid" , "nginx/nginx:v1" ) ; err != nil {
return err
}
if err := jsonContext . AddVariable ( "img.data.podinvalid" , "nginx/nginx:v1" ) ; err != nil {
return err
}
return nil
} ) ,
)
2023-02-08 14:19:56 +01:00
testForEach (
t ,
policyraw ,
resourceRaw ,
"" ,
engineapi . RuleStatusFail ,
2023-06-26 22:46:30 +02:00
ctxLoaderFactory ,
2023-01-30 16:30:47 +01:00
)
2021-09-27 14:28:55 -07:00
}
2021-10-14 22:44:11 +05:30
func Test_foreach_element_validation ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "nginx"
} ,
"spec" : {
"containers" : [
{
"name" : "nginx1" ,
"image" : "nginx"
} ,
{
"name" : "nginx2" ,
"image" : "nginx"
}
]
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : { "name" : "check-container-names" } ,
"spec" : {
"validationFailureAction" : "enforce" ,
"background" : false ,
"rules" : [
{
"name" : "test" ,
"match" : { "resources" : { "kinds" : [ "Pod" ] } } ,
"validate" : {
"message" : "Invalid name" ,
"foreach" : [
{
"list" : "request.object.spec.containers" ,
"pattern" : {
"name" : "{{ element.name }}"
}
}
]
} } ] } } ` )
2023-02-08 14:19:56 +01:00
testForEach ( t , policyraw , resourceRaw , "" , engineapi . RuleStatusPass , nil )
2021-10-14 22:44:11 +05:30
}
func Test_outof_foreach_element_validation ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "nginx"
} ,
"spec" : {
"containers" : [
{
"name" : "nginx1" ,
"image" : "nginx"
} ,
{
"name" : "nginx2" ,
"image" : "nginx"
}
]
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : { "name" : "check-container-names" } ,
"spec" : {
"background" : false ,
"rules" : [
{
"name" : "test" ,
"match" : { "resources" : { "kinds" : [ "Pod" ] } } ,
"validate" : {
2024-08-27 23:07:57 +03:00
"failureAction" : "enforce" ,
2021-10-14 22:44:11 +05:30
"message" : "Invalid name" ,
"pattern" : {
"name" : "{{ element.name }}"
}
} } ] } } ` )
2023-02-08 14:19:56 +01:00
testForEach ( t , policyraw , resourceRaw , "" , engineapi . RuleStatusError , nil )
2021-10-14 22:44:11 +05:30
}
2021-10-19 15:34:53 +05:30
func Test_foreach_skip_initContainer_pass ( t * testing . T ) {
resourceRaw := [ ] byte ( ` { "apiVersion" : "v1" ,
"kind" : "Deployment" ,
"metadata" : { "name" : "test" } ,
"spec" : { "template" : { "spec" : {
"containers" : [
{ "name" : "podvalid" , "image" : "nginx" }
]
} } } } ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "check-images"
} ,
"spec" : {
"background" : false ,
"rules" : [
{
"name" : "check-registry" ,
"match" : {
"resources" : {
"kinds" : [
"Deployment"
]
}
} ,
"validate" : {
2024-08-27 23:07:57 +03:00
"failureAction" : "enforce" ,
2021-10-19 15:34:53 +05:30
"message" : "unknown registry" ,
"foreach" : [
{
"list" : "request.object.spec.template.spec.containers" ,
"pattern" : {
"image" : "nginx"
}
} ,
{
2022-12-12 07:20:20 -08:00
"list" : "request.object.spec.template.spec.initContainers" ,
2021-10-19 15:34:53 +05:30
"pattern" : {
"image" : "trusted-registry.io/*"
}
}
]
}
}
]
}
} ` )
2023-02-08 14:19:56 +01:00
testForEach ( t , policyraw , resourceRaw , "" , engineapi . RuleStatusPass , nil )
2021-10-19 15:34:53 +05:30
}
2022-12-12 07:20:20 -08:00
func Test_foreach_validate_nested ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "networking.k8s.io/v1" ,
"kind" : "Ingress" ,
"metadata" : {
"name" : "name-virtual-host-ingress"
} ,
"spec" : {
"rules" : [
{
"host" : "foo.bar.com" ,
"http" : {
"paths" : [
{
"pathType" : "Prefix" ,
"path" : "/" ,
"backend" : {
"service" : {
"name" : "service1" ,
"port" : {
"number" : 80
}
}
}
}
]
}
} ,
{
"host" : "bar.foo.com" ,
"http" : {
"paths" : [
{
"pathType" : "Prefix" ,
"path" : "/" ,
"backend" : {
"service" : {
"name" : "service2" ,
"port" : {
"number" : 80
}
}
}
}
]
}
}
]
}
} ` )
policyraw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : {
"name" : "replace-image-registry"
} ,
"spec" : {
"background" : false ,
"rules" : [
{
"name" : "replace-dns-suffix" ,
"match" : {
"any" : [
{
"resources" : {
"kinds" : [
"Ingress"
]
}
}
]
} ,
"validate" : {
"foreach" : [
{
"list" : "request.object.spec.rules" ,
"foreach" : [
{
"list" : "element.http.paths" ,
"pattern" : {
"path" : "/"
}
}
]
}
]
}
}
]
}
} ` )
2023-02-08 14:19:56 +01:00
testForEach ( t , policyraw , resourceRaw , "" , engineapi . RuleStatusPass , nil )
2022-12-12 07:20:20 -08:00
}
2023-02-08 14:19:56 +01:00
func testForEach ( t * testing . T , policyraw [ ] byte , resourceRaw [ ] byte , msg string , status engineapi . RuleStatus , contextLoader engineapi . ContextLoaderFactory ) {
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2021-09-27 14:28:55 -07:00
assert . NilError ( t , json . Unmarshal ( policyraw , & policy ) )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( resourceRaw )
2021-09-27 14:28:55 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
policyContext := newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) .
2023-05-12 16:14:48 +02:00
WithPolicy ( & policy )
2021-09-27 14:28:55 -07:00
2023-02-08 14:19:56 +01:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , policyContext , cfg , contextLoader )
2021-09-27 14:28:55 -07:00
2023-04-05 12:35:38 +02:00
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Status ( ) , status )
2021-09-27 14:28:55 -07:00
if msg != "" {
2023-04-05 12:35:38 +02:00
assert . Equal ( t , er . PolicyResponse . Rules [ 0 ] . Message ( ) , msg )
2021-09-27 14:28:55 -07:00
}
}
2021-10-18 09:34:07 -07:00
func Test_delete_ignore_pattern ( t * testing . T ) {
resourceRaw := [ ] byte ( ` {
"apiVersion" : "v1" ,
"kind" : "Pod" ,
"metadata" : {
"name" : "nginx" ,
"labels" : { "app.kubernetes.io/foo" : "myapp-pod" }
} ,
"spec" : {
"containers" : [
{
"name" : "nginx1" ,
"image" : "nginx"
} ,
{
"name" : "nginx2" ,
"image" : "nginx"
}
]
}
} ` )
policyRaw := [ ] byte ( ` {
"apiVersion" : "kyverno.io/v1" ,
"kind" : "ClusterPolicy" ,
"metadata" : { "name" : "check-container-labels" } ,
"spec" : {
"background" : false ,
"rules" : [
{
"name" : "test" ,
"match" : { "resources" : { "kinds" : [ "Pod" ] } } ,
"validate" : {
2024-08-27 23:07:57 +03:00
"failureAction" : "enforce" ,
2021-10-18 09:34:07 -07:00
"message" : "Invalid label" ,
"pattern" : {
"metadata" : {
"labels" : { "app.kubernetes.io/name" : "myapp-pod" }
}
}
} } ] } } ` )
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2021-10-18 09:34:07 -07:00
assert . NilError ( t , json . Unmarshal ( policyRaw , & policy ) )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( resourceRaw )
2021-10-18 09:34:07 -07:00
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
policyContextCreate := newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) .
2023-05-12 16:14:48 +02:00
WithPolicy ( & policy )
2023-03-24 17:24:00 +01:00
2023-02-08 14:19:56 +01:00
engineResponseCreate := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , policyContextCreate , cfg , nil )
2021-10-18 09:34:07 -07:00
assert . Equal ( t , len ( engineResponseCreate . PolicyResponse . Rules ) , 1 )
2023-04-05 12:35:38 +02:00
assert . Equal ( t , engineResponseCreate . PolicyResponse . Rules [ 0 ] . Status ( ) , engineapi . RuleStatusFail )
2021-10-18 09:34:07 -07:00
2023-06-26 22:46:30 +02:00
policyContextDelete := newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Delete , nil ) .
2023-05-12 16:14:48 +02:00
WithPolicy ( & policy )
2023-03-24 17:24:00 +01:00
2023-02-08 14:19:56 +01:00
engineResponseDelete := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , policyContextDelete , cfg , nil )
2021-10-18 09:34:07 -07:00
assert . Equal ( t , len ( engineResponseDelete . PolicyResponse . Rules ) , 0 )
}
2022-02-17 09:18:49 -08:00
func Test_block_bypass ( t * testing . T ) {
testcases := [ ] testCase {
{
description : "Blocks bypass of policy by manipulating pre-conditions" ,
policy : [ ] byte ( ` { "apiVersion":"kyverno.io/v1","kind":"Policy","metadata": { "name":"configmap-policy"},"spec": { "rules":[ { "match": { "resources": { "kinds":["ConfigMap"]}},"name":"key-abc","preconditions": { "any":[ { "key":"admin","operator":"Equals","value":" {{ request .object .data .lock }} "}]},"validate": { "anyPattern":[ { "data": { "key":"abc"}}],"message":"Configmap key must be \"abc\""}}]}} ` ) ,
request : [ ] byte ( ` { "uid":"7b0600b7-0258-4ecb-9666-c2839bd19612","kind": { "group":"","version":"v1","kind":"ConfigMap"},"resource": { "group":"","version":"v1","resource":"configmaps"},"subResource":"status","requestKind": { "group":"","version":"v1","kind":"configmaps"},"requestResource": { "group":"","version":"v1","resource":"configmaps"},"name":"test-configmap","namespace":"default","operation":"UPDATE","userInfo": { "username":"system:node:kind-control-plane","groups":["system:authenticated"]},"object": { "apiVersion":"v1","kind":"ConfigMap","metadata": { "name":"test-configmap"},"data": { "key":"xyz","lock":"admin"}},"oldObject": { "apiVersion":"v1","kind":"ConfigMap","metadata": { "name":"test-configmap"},"data": { "key":"xyz"}},"dryRun":false,"options": { "kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}} ` ) ,
userInfo : [ ] byte ( ` { "roles":["kube-system:kubeadm:kubelet-config-1.17","kube-system:kubeadm:nodes-kubeadm-config"],"clusterRoles":["system:basic-user","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:discovery"],"userInfo": { "username":"kubernetes-admin","groups":["system:authenticated"]}} ` ) ,
requestDenied : true ,
} ,
}
for _ , testcase := range testcases {
2022-05-15 02:34:35 +05:30
executeTest ( t , testcase )
2022-02-17 09:18:49 -08:00
}
}
2022-11-28 18:31:51 +05:30
func Test_ValidatePattern_anyPattern ( t * testing . T ) {
2023-06-26 22:46:30 +02:00
var policy kyvernov1 . ClusterPolicy
2022-11-28 18:31:51 +05:30
rawPolicy := [ ] byte ( ` { "apiVersion":"kyverno.io\/v1","kind":"ClusterPolicy","metadata": { "name":"validate-service-loadbalancer"},"spec": { "validationFailureAction":"enforce","rules":[ { "name":"check-loadbalancer-public","match": { "resources": { "kinds":["Service"]}},"validate": { "message":"Service of type 'LoadBalancer' is public and does not explicitly define network security. To use a public LB you must supply either spec[loadBalancerSourceRanges] or the 'service.beta.kubernetes.io\/aws-load-balancer-security-groups' annotation.","anyPattern":[ { "spec": { "<(type)":"LoadBalancer"},"metadata": { "annotations": { "service.beta.kubernetes.io\/aws-load-balancer-security-groups":"?*"}}}, { "spec": { "<(type)":"LoadBalancer","loadBalancerSourceRanges":"*"}}]}}, { "name":"check-loadbalancer-internal","match": { "resources": { "kinds":["Service"]}},"validate": { "message":"Service of type 'LoadBalancer' is internal and does not explicitly define network security. To set the LB to internal, use annotation 'service.beta.kubernetes.io\/aws-load-balancer-internal' with value 'true' or '0.0.0.0\/0' ","pattern": { "spec": { "<(type)":"LoadBalancer"},"metadata": { "annotations": { "=(service.beta.kubernetes.io\/aws-load-balancer-internal)":"0.0.0.0\/0|true"}}}}}]}} ` )
testCases := [ ] struct {
description string
rawPolicy [ ] byte
rawResource [ ] byte
expectedFailed bool
expectedSkipped bool
expectedSuccess bool
} {
{
description : "skip" ,
rawPolicy : rawPolicy ,
rawResource : [ ] byte ( ` { "apiVersion":"v1","kind":"Service","metadata": { "labels": { "app.kubernetes.io\/managed-by":"Helm"},"name":"service-clusterip-pass"},"spec": { "type":"ClusterIP","ports":[ { "name":"http","port":80,"protocol":"TCP","targetPort":3000}]}} ` ) ,
expectedSkipped : true ,
} ,
{
description : "fail" ,
rawPolicy : rawPolicy ,
rawResource : [ ] byte ( ` { "apiVersion":"v1","kind":"Service","metadata": { "annotations": { "service.beta.kubernetes.io\/aws-load-balancer-internal":"anything"},"labels": { "app.kubernetes.io\/managed-by":"Helm"},"name":"service-internal-fail"},"spec": { "type":"LoadBalancer","clusterIP":"10.96.0.2","ports":[ { "name":"http","nodePort":31207,"port":80,"protocol":"TCP","targetPort":3000}]}} ` ) ,
expectedFailed : true ,
} ,
{
description : "success" ,
rawPolicy : rawPolicy ,
rawResource : [ ] byte ( ` { "apiVersion":"v1","kind":"Service","metadata": { "annotations": { "service.beta.kubernetes.io\/aws-load-balancer-internal":"0.0.0.0\/0"},"labels": { "app.kubernetes.io\/managed-by":"Helm"},"name":"service-internal-pass"},"spec": { "type":"LoadBalancer","clusterIP":"100.69.148.11","loadBalancerSourceRanges":["3.224.166.65\/32","3.210.193.151\/32","3.226.136.65\/32","10.0.0.0\/8"]}} ` ) ,
expectedSuccess : true ,
} ,
}
for _ , tc := range testCases {
t . Run ( tc . description , func ( t * testing . T ) {
err := json . Unmarshal ( tc . rawPolicy , & policy )
assert . NilError ( t , err )
2023-01-03 13:02:15 +01:00
resourceUnstructured , err := kubeutils . BytesToUnstructured ( tc . rawResource )
2022-11-28 18:31:51 +05:30
assert . NilError ( t , err )
2023-06-26 22:46:30 +02:00
er := testValidate ( context . TODO ( ) , registryclient . NewOrDie ( ) , newPolicyContext ( t , * resourceUnstructured , kyvernov1 . Create , nil ) . WithPolicy ( & policy ) , cfg , nil )
2022-11-28 18:31:51 +05:30
if tc . expectedFailed {
assert . Assert ( t , er . IsFailed ( ) )
} else if tc . expectedSkipped {
assert . Assert ( t , er . IsSkipped ( ) )
} else if tc . expectedSuccess {
assert . Assert ( t , er . IsSuccessful ( ) )
}
} )
}
}
