2019-12-20 18:53:44 -08:00
|
|
|
package webhooks
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"testing"
|
|
|
|
|
|
2020-10-07 11:12:31 -07:00
|
|
|
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/engine/utils"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/policymutation"
|
2020-09-01 09:11:20 -07:00
|
|
|
|
|
|
|
|
assertnew "github.com/stretchr/testify/assert"
|
2019-12-20 18:53:44 -08:00
|
|
|
"gotest.tools/assert"
|
2020-03-17 16:25:34 -07:00
|
|
|
"sigs.k8s.io/controller-runtime/pkg/log"
|
2019-12-20 18:53:44 -08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func compareJSONAsMap(t *testing.T, expected, actual []byte) {
|
|
|
|
|
var expectedMap, actualMap map[string]interface{}
|
|
|
|
|
assert.NilError(t, json.Unmarshal(expected, &expectedMap))
|
|
|
|
|
assert.NilError(t, json.Unmarshal(actual, &actualMap))
|
2020-09-01 09:11:20 -07:00
|
|
|
|
|
|
|
|
if !assertnew.Equal(t, expectedMap, actualMap) {
|
|
|
|
|
t.FailNow()
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestGeneratePodControllerRule_NilAnnotation(t *testing.T) {
|
|
|
|
|
policyRaw := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "add-safe-to-evict"
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
|
assert.Assert(t, json.Unmarshal(policyRaw, &policy))
|
2020-07-10 18:12:19 +05:30
|
|
|
patches, errs := policymutation.GeneratePodControllerRule(policy, log.Log)
|
2019-12-20 18:53:44 -08:00
|
|
|
assert.Assert(t, len(errs) == 0)
|
|
|
|
|
|
2020-01-07 17:06:17 -08:00
|
|
|
p, err := utils.ApplyPatches(policyRaw, patches)
|
2019-12-20 18:53:44 -08:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
|
|
expectedPolicy := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "add-safe-to-evict",
|
|
|
|
|
"annotations": {
|
2020-09-01 09:11:20 -07:00
|
|
|
"pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Deployment,Job,StatefulSet,CronJob"
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
compareJSONAsMap(t, p, expectedPolicy)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestGeneratePodControllerRule_PredefinedAnnotation(t *testing.T) {
|
|
|
|
|
policyRaw := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "add-safe-to-evict",
|
|
|
|
|
"annotations": {
|
2019-12-26 15:34:19 -08:00
|
|
|
"pod-policies.kyverno.io/autogen-controllers": "StatefulSet,Pod"
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
|
assert.Assert(t, json.Unmarshal(policyRaw, &policy))
|
2020-07-10 18:12:19 +05:30
|
|
|
patches, errs := policymutation.GeneratePodControllerRule(policy, log.Log)
|
2019-12-20 18:53:44 -08:00
|
|
|
assert.Assert(t, len(errs) == 0)
|
|
|
|
|
assert.Assert(t, len(patches) == 0)
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-03 15:19:33 -08:00
|
|
|
func TestGeneratePodControllerRule_DisableFeature(t *testing.T) {
|
|
|
|
|
policyRaw := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"a": "b",
|
2020-01-06 14:41:25 -08:00
|
|
|
"pod-policies.kyverno.io/autogen-controllers": "none"
|
2020-01-03 15:19:33 -08:00
|
|
|
},
|
|
|
|
|
"name": "add-safe-to-evict"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "annotate-empty-dir",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"mutate": {
|
2020-09-23 04:49:09 +05:30
|
|
|
"patchStrategicMerge": {
|
2020-01-03 15:19:33 -08:00
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"+(cluster-autoscaler.kubernetes.io/safe-to-evict)": "true"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"volumes": [
|
|
|
|
|
{
|
|
|
|
|
"(emptyDir)": {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
|
assert.Assert(t, json.Unmarshal(policyRaw, &policy))
|
2020-07-10 18:12:19 +05:30
|
|
|
patches, errs := policymutation.GeneratePodControllerRule(policy, log.Log)
|
2020-01-03 15:19:33 -08:00
|
|
|
assert.Assert(t, len(errs) == 0)
|
|
|
|
|
assert.Assert(t, len(patches) == 0)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestGeneratePodControllerRule_Mutate(t *testing.T) {
|
|
|
|
|
policyRaw := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"a": "b",
|
|
|
|
|
"pod-policies.kyverno.io/autogen-controllers": "all"
|
|
|
|
|
},
|
|
|
|
|
"name": "add-safe-to-evict"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "annotate-empty-dir",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"mutate": {
|
2020-09-23 04:49:09 +05:30
|
|
|
"patchStrategicMerge": {
|
2020-01-03 15:19:33 -08:00
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"+(cluster-autoscaler.kubernetes.io/safe-to-evict)": "true"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"volumes": [
|
|
|
|
|
{
|
|
|
|
|
"(emptyDir)": {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
|
assert.Assert(t, json.Unmarshal(policyRaw, &policy))
|
2020-07-10 18:12:19 +05:30
|
|
|
patches, errs := policymutation.GeneratePodControllerRule(policy, log.Log)
|
2020-01-03 15:19:33 -08:00
|
|
|
assert.Assert(t, len(errs) == 0)
|
|
|
|
|
|
2020-01-08 16:56:41 -08:00
|
|
|
p, err := utils.ApplyPatches(policyRaw, patches)
|
2020-01-03 15:19:33 -08:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
|
|
expectedPolicy := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"a": "b",
|
|
|
|
|
"pod-policies.kyverno.io/autogen-controllers": "all"
|
|
|
|
|
},
|
|
|
|
|
"name": "add-safe-to-evict"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "annotate-empty-dir",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"mutate": {
|
2020-09-23 04:49:09 +05:30
|
|
|
"patchStrategicMerge": {
|
2020-01-03 15:19:33 -08:00
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"+(cluster-autoscaler.kubernetes.io/safe-to-evict)": "true"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"volumes": [
|
|
|
|
|
{
|
|
|
|
|
"(emptyDir)": {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "autogen-annotate-empty-dir",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"DaemonSet",
|
|
|
|
|
"Deployment",
|
|
|
|
|
"Job",
|
|
|
|
|
"StatefulSet"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"mutate": {
|
2020-09-23 04:49:09 +05:30
|
|
|
"patchStrategicMerge": {
|
2020-01-03 15:19:33 -08:00
|
|
|
"spec": {
|
|
|
|
|
"template": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"+(cluster-autoscaler.kubernetes.io/safe-to-evict)": "true"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"volumes": [
|
|
|
|
|
{
|
|
|
|
|
"(emptyDir)": {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-09-01 09:11:20 -07:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "autogen-cronjob-annotate-empty-dir",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"CronJob"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"mutate": {
|
2020-09-23 04:49:09 +05:30
|
|
|
"patchStrategicMerge": {
|
2020-09-01 09:11:20 -07:00
|
|
|
"spec": {
|
|
|
|
|
"jobTemplate": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"template": {
|
|
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
|
|
|
|
"+(cluster-autoscaler.kubernetes.io/safe-to-evict)": "true"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"volumes": [
|
|
|
|
|
{
|
|
|
|
|
"(emptyDir)": {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
2020-09-01 09:11:20 -07:00
|
|
|
|
|
|
|
|
compareJSONAsMap(t, expectedPolicy, p)
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
func TestGeneratePodControllerRule_ExistOtherAnnotation(t *testing.T) {
|
|
|
|
|
policyRaw := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "add-safe-to-evict",
|
|
|
|
|
"annotations": {
|
|
|
|
|
"test": "annotation"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
|
assert.Assert(t, json.Unmarshal(policyRaw, &policy))
|
2020-07-10 18:12:19 +05:30
|
|
|
patches, errs := policymutation.GeneratePodControllerRule(policy, log.Log)
|
2019-12-20 18:53:44 -08:00
|
|
|
assert.Assert(t, len(errs) == 0)
|
|
|
|
|
|
2020-01-07 17:06:17 -08:00
|
|
|
p, err := utils.ApplyPatches(policyRaw, patches)
|
2019-12-20 18:53:44 -08:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
|
|
expectedPolicy := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "add-safe-to-evict",
|
|
|
|
|
"annotations": {
|
2020-09-01 09:11:20 -07:00
|
|
|
"pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Deployment,Job,StatefulSet,CronJob",
|
2019-12-20 18:53:44 -08:00
|
|
|
"test": "annotation"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
compareJSONAsMap(t, p, expectedPolicy)
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-03 15:19:33 -08:00
|
|
|
func TestGeneratePodControllerRule_ValidateAnyPattern(t *testing.T) {
|
2019-12-20 18:53:44 -08:00
|
|
|
policyRaw := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
2020-01-03 15:19:33 -08:00
|
|
|
"annotations": {
|
|
|
|
|
"pod-policies.kyverno.io/autogen-controllers": "Deployment"
|
|
|
|
|
},
|
|
|
|
|
"name": "add-safe-to-evict"
|
2019-12-20 18:53:44 -08:00
|
|
|
},
|
|
|
|
|
"spec": {
|
2020-01-03 15:19:33 -08:00
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "validate-runAsNonRoot",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
},
|
2020-01-03 15:19:33 -08:00
|
|
|
"validate": {
|
|
|
|
|
"message": "Running as root user is not allowed. Set runAsNonRoot to true",
|
|
|
|
|
"anyPattern": [
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"runAsNonRoot": true
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "*",
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"runAsNonRoot": true
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
]
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
]
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
]
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}`)
|
2019-12-20 18:53:44 -08:00
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
|
assert.Assert(t, json.Unmarshal(policyRaw, &policy))
|
2020-07-10 18:12:19 +05:30
|
|
|
patches, errs := policymutation.GeneratePodControllerRule(policy, log.Log)
|
2019-12-20 18:53:44 -08:00
|
|
|
assert.Assert(t, len(errs) == 0)
|
|
|
|
|
|
2020-01-07 17:06:17 -08:00
|
|
|
p, err := utils.ApplyPatches(policyRaw, patches)
|
2019-12-20 18:53:44 -08:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
2020-01-03 15:19:33 -08:00
|
|
|
expectedPolicy := []byte(`{
|
2019-12-20 18:53:44 -08:00
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
2020-01-03 15:19:33 -08:00
|
|
|
"annotations": {
|
|
|
|
|
"pod-policies.kyverno.io/autogen-controllers": "Deployment"
|
|
|
|
|
},
|
|
|
|
|
"name": "add-safe-to-evict"
|
2019-12-20 18:53:44 -08:00
|
|
|
},
|
|
|
|
|
"spec": {
|
2020-01-03 15:19:33 -08:00
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "validate-runAsNonRoot",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
},
|
2020-01-03 15:19:33 -08:00
|
|
|
"validate": {
|
|
|
|
|
"message": "Running as root user is not allowed. Set runAsNonRoot to true",
|
|
|
|
|
"anyPattern": [
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"runAsNonRoot": true
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "*",
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"runAsNonRoot": true
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
]
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "autogen-validate-runAsNonRoot",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Deployment"
|
|
|
|
|
]
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
},
|
2020-01-03 15:19:33 -08:00
|
|
|
"validate": {
|
|
|
|
|
"message": "Running as root user is not allowed. Set runAsNonRoot to true",
|
|
|
|
|
"anyPattern": [
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"template": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"runAsNonRoot": true
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"spec": {
|
|
|
|
|
"template": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"containers": [
|
|
|
|
|
{
|
|
|
|
|
"name": "*",
|
|
|
|
|
"securityContext": {
|
|
|
|
|
"runAsNonRoot": true
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
]
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
compareJSONAsMap(t, p, expectedPolicy)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestGeneratePodControllerRule_ValidatePattern(t *testing.T) {
|
|
|
|
|
policyRaw := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"name": "add-safe-to-evict"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "validate-docker-sock-mount",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
},
|
2020-01-03 15:19:33 -08:00
|
|
|
"validate": {
|
|
|
|
|
"message": "Use of the Docker Unix socket is not allowed",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"=(volumes)": [
|
|
|
|
|
{
|
|
|
|
|
"=(hostPath)": {
|
|
|
|
|
"path": "!/var/run/docker.sock"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}`)
|
|
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
2020-09-01 09:11:20 -07:00
|
|
|
// var policy, generatePolicy unstructured.Unstructured
|
2020-01-03 15:19:33 -08:00
|
|
|
assert.Assert(t, json.Unmarshal(policyRaw, &policy))
|
2020-07-10 18:12:19 +05:30
|
|
|
patches, errs := policymutation.GeneratePodControllerRule(policy, log.Log)
|
2020-01-03 15:19:33 -08:00
|
|
|
assert.Assert(t, len(errs) == 0)
|
|
|
|
|
|
2020-01-08 16:56:41 -08:00
|
|
|
p, err := utils.ApplyPatches(policyRaw, patches)
|
2020-01-03 15:19:33 -08:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
|
|
expectedPolicy := []byte(`{
|
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
|
"metadata": {
|
|
|
|
|
"annotations": {
|
2020-09-01 09:11:20 -07:00
|
|
|
"pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Deployment,Job,StatefulSet,CronJob"
|
2020-01-03 15:19:33 -08:00
|
|
|
},
|
|
|
|
|
"name": "add-safe-to-evict"
|
|
|
|
|
},
|
|
|
|
|
"spec": {
|
|
|
|
|
"rules": [
|
|
|
|
|
{
|
|
|
|
|
"name": "validate-docker-sock-mount",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"Pod"
|
|
|
|
|
]
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
},
|
2020-01-03 15:19:33 -08:00
|
|
|
"validate": {
|
|
|
|
|
"message": "Use of the Docker Unix socket is not allowed",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"=(volumes)": [
|
|
|
|
|
{
|
|
|
|
|
"=(hostPath)": {
|
|
|
|
|
"path": "!/var/run/docker.sock"
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
]
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "autogen-validate-docker-sock-mount",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"DaemonSet",
|
|
|
|
|
"Deployment",
|
|
|
|
|
"Job",
|
|
|
|
|
"StatefulSet"
|
|
|
|
|
]
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
},
|
2020-01-03 15:19:33 -08:00
|
|
|
"validate": {
|
|
|
|
|
"message": "Use of the Docker Unix socket is not allowed",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"template": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"=(volumes)": [
|
|
|
|
|
{
|
|
|
|
|
"=(hostPath)": {
|
|
|
|
|
"path": "!/var/run/docker.sock"
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
]
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
}
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-09-01 09:11:20 -07:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "autogen-cronjob-validate-docker-sock-mount",
|
|
|
|
|
"match": {
|
|
|
|
|
"resources": {
|
|
|
|
|
"kinds": [
|
|
|
|
|
"CronJob"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"validate": {
|
|
|
|
|
"message": "Use of the Docker Unix socket is not allowed",
|
|
|
|
|
"pattern": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"jobTemplate": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"template": {
|
|
|
|
|
"spec": {
|
|
|
|
|
"=(volumes)": [
|
|
|
|
|
{
|
|
|
|
|
"=(hostPath)": {
|
|
|
|
|
"path": "!/var/run/docker.sock"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}
|
|
|
|
|
]
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
2020-01-03 15:19:33 -08:00
|
|
|
}`)
|
2020-09-01 09:11:20 -07:00
|
|
|
|
|
|
|
|
compareJSONAsMap(t, expectedPolicy, p)
|
2019-12-20 18:53:44 -08:00
|
|
|
}
|
