2020-03-11 18:14:23 -07:00
|
|
|
package validate
|
|
|
|
|
|
|
|
|
|
import (
|
2023-03-22 21:14:57 +08:00
|
|
|
"context"
|
2020-03-11 18:14:23 -07:00
|
|
|
"encoding/json"
|
|
|
|
|
"testing"
|
|
|
|
|
|
2021-10-29 18:13:20 +02:00
|
|
|
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
2020-03-11 18:14:23 -07:00
|
|
|
"gotest.tools/assert"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func Test_Validate_OverlayPattern_Empty(t *testing.T) {
|
|
|
|
|
rawValidation := []byte(`
|
|
|
|
|
{}`)
|
|
|
|
|
|
2024-08-20 01:55:32 -07:00
|
|
|
var rule kyverno.Rule
|
|
|
|
|
err := json.Unmarshal(rawValidation, &rule)
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
2024-08-20 01:55:32 -07:00
|
|
|
checker := NewMockValidateFactory(&rule)
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) {
|
|
|
|
|
rawValidation := []byte(`
|
|
|
|
|
{ "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
|
|
|
|
|
}
|
|
|
|
|
`)
|
|
|
|
|
|
|
|
|
|
var validation kyverno.Validation
|
|
|
|
|
err := json.Unmarshal(rawValidation, &validation)
|
|
|
|
|
assert.NilError(t, err)
|
2024-09-11 11:12:53 +02:00
|
|
|
checker := NewMockValidateFactory(&kyverno.Rule{Validation: &validation})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) {
|
|
|
|
|
rawValidation := []byte(`
|
|
|
|
|
{
|
|
|
|
|
"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
|
|
|
|
|
"anyPattern": [
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"allowPrivilegeEscalation": false,
|
|
|
|
|
"privileged": false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "*",
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"allowPrivilegeEscalation": false,
|
|
|
|
|
"privileged": false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
var validation kyverno.Validation
|
|
|
|
|
err := json.Unmarshal(rawValidation, &validation)
|
|
|
|
|
assert.NilError(t, err)
|
2024-09-11 11:12:53 +02:00
|
|
|
checker := NewMockValidateFactory(&kyverno.Rule{Validation: &validation})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
func Test_Validate_OverlayPattern_Valid(t *testing.T) {
|
|
|
|
|
rawValidation := []byte(`
|
|
|
|
|
{
|
|
|
|
|
"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
|
|
|
|
|
"anyPattern": [
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"allowPrivilegeEscalation": false,
|
|
|
|
|
"privileged": false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "*",
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"allowPrivilegeEscalation": false,
|
|
|
|
|
"privileged": false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
`)
|
|
|
|
|
|
|
|
|
|
var validation kyverno.Validation
|
|
|
|
|
err := json.Unmarshal(rawValidation, &validation)
|
|
|
|
|
assert.NilError(t, err)
|
2024-09-11 11:12:53 +02:00
|
|
|
checker := NewMockValidateFactory(&kyverno.Rule{Validation: &validation})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) {
|
|
|
|
|
rawValidation := []byte(`
|
|
|
|
|
{
|
|
|
|
|
"message": "validate container security contexts",
|
|
|
|
|
"anyPattern": [
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"template": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"^(securityContext)": {
|
|
|
|
|
"runAsNonRoot": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
`)
|
|
|
|
|
|
|
|
|
|
var validation kyverno.Validation
|
|
|
|
|
err := json.Unmarshal(rawValidation, &validation)
|
|
|
|
|
assert.NilError(t, err)
|
2024-09-11 11:12:53 +02:00
|
|
|
checker := NewMockValidateFactory(&kyverno.Rule{Validation: &validation})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) {
|
|
|
|
|
rawValidation := []byte(`{
|
|
|
|
|
"message": "validate container security contexts",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"template": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"allowPrivilegeEscalation": "^(false)"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
`)
|
|
|
|
|
|
|
|
|
|
var validation kyverno.Validation
|
|
|
|
|
err := json.Unmarshal(rawValidation, &validation)
|
|
|
|
|
assert.NilError(t, err)
|
2024-09-11 11:12:53 +02:00
|
|
|
checker := NewMockValidateFactory(&kyverno.Rule{Validation: &validation})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Validate_ExistingAnchor_Valid(t *testing.T) {
|
|
|
|
|
var err error
|
|
|
|
|
var validation kyverno.Validation
|
|
|
|
|
rawValidation := []byte(`
|
|
|
|
|
{
|
|
|
|
|
"message": "validate container security contexts",
|
|
|
|
|
"anyPattern": [
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"template": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"^(containers)": [
|
|
|
|
|
{
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"runAsNonRoot": "true"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
err = json.Unmarshal(rawValidation, &validation)
|
|
|
|
|
assert.NilError(t, err)
|
2024-09-11 11:12:53 +02:00
|
|
|
checker := NewMockValidateFactory(&kyverno.Rule{Validation: &validation})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
|
}
|
|
|
|
|
rawValidation = []byte(`
|
|
|
|
|
{
|
|
|
|
|
"message": "validate container security contexts",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"template": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"^(containers)": [
|
|
|
|
|
{
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"allowPrivilegeEscalation": "false"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} `)
|
|
|
|
|
err = json.Unmarshal(rawValidation, &validation)
|
|
|
|
|
assert.NilError(t, err)
|
2024-09-11 11:12:53 +02:00
|
|
|
checker = NewMockValidateFactory(&kyverno.Rule{Validation: &validation})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Validate_Validate_ValidAnchor(t *testing.T) {
|
|
|
|
|
var err error
|
|
|
|
|
var validate kyverno.Validation
|
|
|
|
|
var rawValidate []byte
|
|
|
|
|
// case 1
|
|
|
|
|
rawValidate = []byte(`
|
|
|
|
|
{
|
|
|
|
|
"message": "Root user is not allowed. Set runAsNonRoot to true.",
|
|
|
|
|
"anyPattern": [
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"(runAsNonRoot)": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"^(containers)": [
|
|
|
|
|
{
|
|
|
|
|
"name": "*",
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"runAsNonRoot": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
err = json.Unmarshal(rawValidate, &validate)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
2024-09-11 11:12:53 +02:00
|
|
|
checker := NewMockValidateFactory(&kyverno.Rule{Validation: &validate})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// case 2
|
|
|
|
|
validate = kyverno.Validation{}
|
|
|
|
|
rawValidate = []byte(`
|
|
|
|
|
{
|
|
|
|
|
"message": "Root user is not allowed. Set runAsNonRoot to true.",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"=(securityContext)": {
|
|
|
|
|
"runAsNonRoot": "true"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
err = json.Unmarshal(rawValidate, &validate)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
2024-09-11 11:12:53 +02:00
|
|
|
checker = NewMockValidateFactory(&kyverno.Rule{Validation: &validate})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Validate_Validate_Mismatched(t *testing.T) {
|
|
|
|
|
rawValidate := []byte(`
|
|
|
|
|
{
|
|
|
|
|
"message": "Root user is not allowed. Set runAsNonRoot to true.",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "*",
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"+(runAsNonRoot)": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
var validate kyverno.Validation
|
|
|
|
|
err := json.Unmarshal(rawValidate, &validate)
|
|
|
|
|
assert.NilError(t, err)
|
2024-09-11 11:12:53 +02:00
|
|
|
checker := NewMockValidateFactory(&kyverno.Rule{Validation: &validate})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_Validate_Validate_Unsupported(t *testing.T) {
|
|
|
|
|
var err error
|
|
|
|
|
var validate kyverno.Validation
|
|
|
|
|
|
|
|
|
|
// case 1
|
|
|
|
|
rawValidate := []byte(`
|
|
|
|
|
{
|
|
|
|
|
"message": "Root user is not allowed. Set runAsNonRoot to true.",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "*",
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"!(runAsNonRoot)": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
err = json.Unmarshal(rawValidate, &validate)
|
|
|
|
|
assert.NilError(t, err)
|
2024-09-11 11:12:53 +02:00
|
|
|
checker := NewMockValidateFactory(&kyverno.Rule{Validation: &validate})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// case 2
|
|
|
|
|
rawValidate = []byte(`
|
|
|
|
|
{
|
|
|
|
|
"message": "Root user is not allowed. Set runAsNonRoot to true.",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "*",
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"~(runAsNonRoot)": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
err = json.Unmarshal(rawValidate, &validate)
|
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
2024-09-11 11:12:53 +02:00
|
|
|
checker = NewMockValidateFactory(&kyverno.Rule{Validation: &validate})
|
2024-09-04 19:26:24 +08:00
|
|
|
if _, _, err := checker.Validate(context.TODO(), nil); err != nil {
|
2020-03-11 18:14:23 -07:00
|
|
|
assert.Assert(t, err != nil)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
