kyverno/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml

apiVersion: kyverno.io/v2alpha1
kind: ValidatingPolicy
metadata:
  name: disallow-privilege-escalation
status:
  autogen:
    rules:
    - matchConditions:
      - expression: has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod)
          && object.spec.template.metadata.labels.prod == 'true'
        name: check-prod-label
      matchConstraints:
        resourceRules:
        - apiGroups:
          - apps
          apiVersions:
          - v1
          operations:
          - CREATE
          - UPDATE
          resources:
          - replicasets
          - daemonsets
          - deployments
          - statefulsets
        - apiGroups:
          - batch
          apiVersions:
          - v1
          operations:
          - CREATE
          - UPDATE
          resources:
          - jobs
      validations:
      - expression: object.spec.template.spec.containers.all(container, has(container.securityContext)
          && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation
          == false)
        message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
          must be set to `false`.
    - matchConditions:
      - expression: has(object.spec.jobTemplate.spec.template.spec.template.metadata.labels)
          && has(object.spec.jobTemplate.spec.template.spec.template.metadata.labels.prod)
          && object.spec.jobTemplate.spec.template.spec.template.metadata.labels.prod
          == 'true'
        name: check-prod-label
      matchConstraints:
        resourceRules:
        - apiGroups:
          - batch
          apiVersions:
          - v1
          operations:
          - CREATE
          - UPDATE
          resources:
          - cronjobs
      validations:
      - expression: object.spec.jobTemplate.spec.template.spec.template.spec.containers.all(container,
          has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation)
          && container.securityContext.allowPrivilegeEscalation == false)
        message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
          must be set to `false`.
feat: add cel-autogen chainsaw tests (#12135) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2025-02-11 00:30:12 +02:00			`apiVersion: kyverno.io/v2alpha1`
			`kind: ValidatingPolicy`
			`metadata:`
			`name: disallow-privilege-escalation`
			`status:`
			`autogen:`
			`rules:`
			`- matchConditions:`
			`- expression: has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod)`
			`&& object.spec.template.metadata.labels.prod == 'true'`
			`name: check-prod-label`
			`matchConstraints:`
			`resourceRules:`
			`- apiGroups:`
			`- apps`
			`apiVersions:`
			`- v1`
			`operations:`
			`- CREATE`
			`- UPDATE`
			`resources:`
			`- replicasets`
			`- daemonsets`
			`- deployments`
			`- statefulsets`
			`- apiGroups:`
			`- batch`
			`apiVersions:`
			`- v1`
			`operations:`
			`- CREATE`
			`- UPDATE`
			`resources:`
			`- jobs`
			`validations:`
			`- expression: object.spec.template.spec.containers.all(container, has(container.securityContext)`
			`&& has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation`
			`== false)`
			`message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation`
			must be set to `false`.
			`- matchConditions:`
			`- expression: has(object.spec.jobTemplate.spec.template.spec.template.metadata.labels)`
			`&& has(object.spec.jobTemplate.spec.template.spec.template.metadata.labels.prod)`
			`&& object.spec.jobTemplate.spec.template.spec.template.metadata.labels.prod`
			`== 'true'`
			`name: check-prod-label`
			`matchConstraints:`
			`resourceRules:`
			`- apiGroups:`
			`- batch`
			`apiVersions:`
			`- v1`
			`operations:`
			`- CREATE`
			`- UPDATE`
			`resources:`
			`- cronjobs`
			`validations:`
			`- expression: object.spec.jobTemplate.spec.template.spec.template.spec.containers.all(container,`
			`has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation)`
			`&& container.securityContext.allowPrivilegeEscalation == false)`
			`message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation`
			must be set to `false`.