mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
Migrated scenario based tests to CLI (#8055)
* migrated scenarios to cli and resolved conflicts Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> * Modified Makefile Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> * Update Makefile Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> * Create patchedresource.yaml Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> * Update kyverno-test.yaml Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> * Delete test/cli/scenarios_to_cli/other /scenario_mutate_validate_qos directory Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> * Update kyverno-test.yaml Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> * Create patchedresource.yaml Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> * Update policy.yaml Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> * Update policy.yaml Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
333845677a
commit
04bc4ed7c6
62 changed files with 205 additions and 754 deletions
7
Makefile
7
Makefile
|
@ -688,7 +688,7 @@ test-kuttl: $(KUTTL) ## Run kuttl tests
|
||||||
TEST_GIT_BRANCH ?= main
|
TEST_GIT_BRANCH ?= main
|
||||||
|
|
||||||
.PHONY: test-cli
|
.PHONY: test-cli
|
||||||
test-cli: test-cli-policies test-cli-local test-cli-local-mutate test-cli-local-generate test-cli-test-case-selector-flag test-cli-registry ## Run all CLI tests
|
test-cli: test-cli-policies test-cli-local test-cli-local-mutate test-cli-local-generate test-cli-test-case-selector-flag test-cli-registry test-cli-scenarios-to-cli ## Run all CLI tests
|
||||||
|
|
||||||
.PHONY: test-cli-policies
|
.PHONY: test-cli-policies
|
||||||
test-cli-policies: $(CLI_BIN)
|
test-cli-policies: $(CLI_BIN)
|
||||||
|
@ -715,6 +715,11 @@ test-cli-test-case-selector-flag: $(CLI_BIN)
|
||||||
test-cli-registry: $(CLI_BIN)
|
test-cli-registry: $(CLI_BIN)
|
||||||
@$(CLI_BIN) test ./test/cli/registry --registry
|
@$(CLI_BIN) test ./test/cli/registry --registry
|
||||||
|
|
||||||
|
.PHONY: test-cli-scenarios-to-cli
|
||||||
|
test-cli-scenarios-to-cli: $(CLI_BIN)
|
||||||
|
@$(CLI_BIN) test ./test/cli/scenarios_to_cli --registry
|
||||||
|
|
||||||
|
|
||||||
#############
|
#############
|
||||||
# HELM TEST #
|
# HELM TEST #
|
||||||
#############
|
#############
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
name: policy-endpoints
|
||||||
|
policies:
|
||||||
|
- policy.yaml
|
||||||
|
resources:
|
||||||
|
- resource.yaml
|
||||||
|
results:
|
||||||
|
- policy: policy-endpoints
|
||||||
|
rule: pEP
|
||||||
|
resource: test-endpoint
|
||||||
|
patchedresource: patchedresource.yaml
|
||||||
|
kind: Endpoints
|
||||||
|
result: pass
|
|
@ -0,0 +1,15 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Endpoints
|
||||||
|
metadata:
|
||||||
|
creationTimestamp:
|
||||||
|
labels:
|
||||||
|
isMutated: 'true'
|
||||||
|
label: test
|
||||||
|
name: test-endpoint
|
||||||
|
subsets:
|
||||||
|
- addresses:
|
||||||
|
- ip: 192.168.10.171
|
||||||
|
ports:
|
||||||
|
- name: secure-connection
|
||||||
|
port: 9663
|
||||||
|
protocol: TCP
|
|
@ -1,17 +1,18 @@
|
||||||
apiVersion : kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind : ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata :
|
metadata:
|
||||||
name : policy-endpoints
|
name: policy-endpoints
|
||||||
spec :
|
spec:
|
||||||
rules:
|
rules:
|
||||||
- name: pEP
|
- name: pEP
|
||||||
match:
|
match:
|
||||||
resources:
|
all:
|
||||||
kinds :
|
- resources:
|
||||||
- Endpoints
|
kinds:
|
||||||
|
- Endpoints
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
label : test
|
label: test
|
||||||
mutate:
|
mutate:
|
||||||
patchesJson6902: |-
|
patchesJson6902: |-
|
||||||
[
|
[
|
|
@ -0,0 +1,12 @@
|
||||||
|
name: mutate-pods-spec
|
||||||
|
policies:
|
||||||
|
- policy.yaml
|
||||||
|
resources:
|
||||||
|
- resource.yaml
|
||||||
|
results:
|
||||||
|
- policy: mutate-pods-spec
|
||||||
|
rule: disable-servicelink-and-token
|
||||||
|
resource: nginx-deployment
|
||||||
|
patchedresource: patchedresource.yaml
|
||||||
|
kind: Deployment
|
||||||
|
result: pass
|
|
@ -2,9 +2,10 @@ apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
creationTimestamp: "2020-09-21T12:56:35Z"
|
creationTimestamp: "2020-09-21T12:56:35Z"
|
||||||
name: qos-demo
|
name: nginx-deployment
|
||||||
labels:
|
labels:
|
||||||
test: qos
|
app: nginx
|
||||||
|
namespace: test-foo-aaaaaaaaa-bbbbbbbb
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
|
@ -16,9 +17,10 @@ spec:
|
||||||
labels:
|
labels:
|
||||||
app: nginx
|
app: nginx
|
||||||
spec:
|
spec:
|
||||||
|
enableServiceLinks: false
|
||||||
|
automountServiceAccountToken: false
|
||||||
containers:
|
containers:
|
||||||
- name: nginx
|
- name: nginx
|
||||||
image: nginx:latest
|
image: nginx:1.14.2
|
||||||
resources:
|
ports:
|
||||||
limits:
|
- containerPort: 80
|
||||||
cpu: "50m"
|
|
|
@ -6,14 +6,15 @@ spec:
|
||||||
rules:
|
rules:
|
||||||
- name: "disable-servicelink-and-token"
|
- name: "disable-servicelink-and-token"
|
||||||
match:
|
match:
|
||||||
resources:
|
all:
|
||||||
kinds:
|
- resources:
|
||||||
- DaemonSet
|
kinds:
|
||||||
- Deployment
|
- DaemonSet
|
||||||
- Job
|
- Deployment
|
||||||
- StatefulSet
|
- Job
|
||||||
namespaces:
|
- StatefulSet
|
||||||
- test-foo-*
|
namespaces:
|
||||||
|
- test-foo-*
|
||||||
mutate:
|
mutate:
|
||||||
patchStrategicMerge:
|
patchStrategicMerge:
|
||||||
spec:
|
spec:
|
|
@ -0,0 +1,11 @@
|
||||||
|
name: validate-default-proc-mount
|
||||||
|
policies:
|
||||||
|
- policy.yaml
|
||||||
|
resources:
|
||||||
|
- resource.yaml
|
||||||
|
results:
|
||||||
|
- policy: validate-default-proc-mount
|
||||||
|
rule: validate-default-proc-mount
|
||||||
|
resource: nginx-proc-mount
|
||||||
|
kind: Pod
|
||||||
|
result: pass
|
|
@ -7,9 +7,10 @@ spec:
|
||||||
rules:
|
rules:
|
||||||
- name: validate-default-proc-mount
|
- name: validate-default-proc-mount
|
||||||
match:
|
match:
|
||||||
resources:
|
all:
|
||||||
kinds:
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
message: "Default proc mount should set to Unmasked"
|
message: "Default proc mount should set to Unmasked"
|
||||||
pattern:
|
pattern:
|
|
@ -0,0 +1,11 @@
|
||||||
|
name: validate-disallow-default-serviceaccount
|
||||||
|
policies:
|
||||||
|
- policy.yaml
|
||||||
|
resources:
|
||||||
|
- resource.yaml
|
||||||
|
results:
|
||||||
|
- policy: validate-disallow-default-serviceaccount
|
||||||
|
rule: prevent-mounting-default-serviceaccount
|
||||||
|
resource: pod-with-default-sa
|
||||||
|
kind: Pod
|
||||||
|
result: fail
|
|
@ -6,13 +6,15 @@ spec:
|
||||||
rules:
|
rules:
|
||||||
- name: prevent-mounting-default-serviceaccount
|
- name: prevent-mounting-default-serviceaccount
|
||||||
exclude:
|
exclude:
|
||||||
resources:
|
all:
|
||||||
namespaces:
|
- resources:
|
||||||
- kube-system
|
namespaces:
|
||||||
|
- kube-system
|
||||||
match:
|
match:
|
||||||
resources:
|
all:
|
||||||
kinds:
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
message: "Prevent mounting of default service account"
|
message: "Prevent mounting of default service account"
|
||||||
pattern:
|
pattern:
|
|
@ -1,12 +1,11 @@
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Pod
|
kind: Pod
|
||||||
metadata:
|
metadata:
|
||||||
name: myapp-pod
|
name: pod-with-default-sa
|
||||||
labels:
|
labels:
|
||||||
app: myapp
|
app: pod-with-default-sa
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: default
|
serviceAccountName: default
|
||||||
automountServiceAccountToken: false
|
|
||||||
containers:
|
containers:
|
||||||
- name: nginx
|
- name: nginx
|
||||||
image: nginx
|
image: nginx
|
|
@ -0,0 +1,16 @@
|
||||||
|
name: check-probe-exists
|
||||||
|
policies:
|
||||||
|
- policy.yaml
|
||||||
|
resources:
|
||||||
|
- resource.yaml
|
||||||
|
results:
|
||||||
|
- policy: check-probe-exists
|
||||||
|
rule: check-readinessProbe-exists
|
||||||
|
resource: probe
|
||||||
|
kind: Pod
|
||||||
|
result: pass
|
||||||
|
- policy: check-probe-exists
|
||||||
|
rule: check-livenessProbe-exists
|
||||||
|
resource: probe
|
||||||
|
kind: Pod
|
||||||
|
result: pass
|
|
@ -1,14 +1,15 @@
|
||||||
apiVersion : kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind : ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata :
|
metadata:
|
||||||
name: check-probe-exists
|
name: check-probe-exists
|
||||||
spec:
|
spec:
|
||||||
rules:
|
rules:
|
||||||
- name: check-readinessProbe-exists
|
- name: check-readinessProbe-exists
|
||||||
match:
|
match:
|
||||||
resources:
|
all:
|
||||||
kinds :
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
message: "readinessProbe is required"
|
message: "readinessProbe is required"
|
||||||
pattern:
|
pattern:
|
||||||
|
@ -18,10 +19,11 @@ spec:
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
successThreshold: ">1"
|
successThreshold: ">1"
|
||||||
- name: check-livenessProbe-exists
|
- name: check-livenessProbe-exists
|
||||||
match:
|
match:
|
||||||
resources:
|
all:
|
||||||
kinds :
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
message: "livenessProbe is required"
|
message: "livenessProbe is required"
|
||||||
pattern:
|
pattern:
|
||||||
|
@ -32,4 +34,4 @@ spec:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: "?*"
|
path: "?*"
|
||||||
port: "*"
|
port: "*"
|
||||||
scheme: "?*"
|
scheme: "?*"
|
|
@ -0,0 +1,11 @@
|
||||||
|
name: validate-selinux-options
|
||||||
|
policies:
|
||||||
|
- policy.yaml
|
||||||
|
resources:
|
||||||
|
- resource.yaml
|
||||||
|
results:
|
||||||
|
- policy: validate-selinux-options
|
||||||
|
rule: validate-selinux-options
|
||||||
|
resource: busybox-selinux
|
||||||
|
kind: Pod
|
||||||
|
result: fail
|
|
@ -7,9 +7,10 @@ spec:
|
||||||
rules:
|
rules:
|
||||||
- name: validate-selinux-options
|
- name: validate-selinux-options
|
||||||
match:
|
match:
|
||||||
resources:
|
any:
|
||||||
kinds:
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
message: "SELinux level is required"
|
message: "SELinux level is required"
|
||||||
pattern:
|
pattern:
|
||||||
|
@ -17,7 +18,7 @@ spec:
|
||||||
containers:
|
containers:
|
||||||
- securityContext:
|
- securityContext:
|
||||||
seLinuxOptions:
|
seLinuxOptions:
|
||||||
level: "*"
|
level: "?*"
|
||||||
# level: "s0:c25,c968"
|
# level: "s0:c25,c968"
|
||||||
# If SELinux security module is loaded on the host operating system,
|
# If SELinux security module is loaded on the host operating system,
|
||||||
# we can make sure pods only have access to specified configured level
|
# we can make sure pods only have access to specified configured level
|
|
@ -0,0 +1,11 @@
|
||||||
|
name: validate-volumes-whitelist
|
||||||
|
policies:
|
||||||
|
- policy.yaml
|
||||||
|
resources:
|
||||||
|
- resource.yaml
|
||||||
|
results:
|
||||||
|
- policy: validate-volumes-whitelist
|
||||||
|
rule: validate-volumes-whitelist
|
||||||
|
resource: test-volumes
|
||||||
|
kind: Pod
|
||||||
|
result: pass
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion : kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: validate-volumes-whitelist
|
name: validate-volumes-whitelist
|
||||||
|
@ -7,11 +7,12 @@ spec:
|
||||||
rules:
|
rules:
|
||||||
- name: validate-volumes-whitelist
|
- name: validate-volumes-whitelist
|
||||||
match:
|
match:
|
||||||
resources:
|
any:
|
||||||
kinds:
|
- resources:
|
||||||
- Pod
|
kinds:
|
||||||
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
message: "Volumes white list"
|
message: "Volume type is not of type hostPath, emptyDir, or configMap."
|
||||||
anyPattern:
|
anyPattern:
|
||||||
- spec:
|
- spec:
|
||||||
volumes:
|
volumes:
|
||||||
|
@ -22,7 +23,3 @@ spec:
|
||||||
- spec:
|
- spec:
|
||||||
volumes:
|
volumes:
|
||||||
- configMap: "*"
|
- configMap: "*"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
name: restrict-ingress-classes
|
||||||
|
policies:
|
||||||
|
- policy.yaml
|
||||||
|
resources:
|
||||||
|
- resource.yaml
|
||||||
|
results:
|
||||||
|
- policy: restrict-ingress-classes
|
||||||
|
rule: validate-ingress
|
||||||
|
resource: test-ingress
|
||||||
|
kind: Ingress
|
||||||
|
result: pass
|
|
@ -0,0 +1,23 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: restrict-ingress-classes
|
||||||
|
annotations:
|
||||||
|
policies.kyverno.io/category: Workload Management
|
||||||
|
policies.kyverno.io/description: It can be useful to restrict Ingress resources to a set of
|
||||||
|
known ingress classes that are allowed in the cluster. You can customize this policy to
|
||||||
|
allow ingress classes that are configured in the cluster.
|
||||||
|
spec:
|
||||||
|
rules:
|
||||||
|
- name: validate-ingress
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Ingress
|
||||||
|
validate:
|
||||||
|
message: "Unknown ingress class"
|
||||||
|
pattern:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/ingress.class: "F5 | nginx"
|
|
@ -1,50 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: policy-qos
|
|
||||||
spec:
|
|
||||||
# validationFailureAction: "audit"
|
|
||||||
rules:
|
|
||||||
- name: add-memory-limit
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Deployment
|
|
||||||
selector :
|
|
||||||
matchLabels:
|
|
||||||
test: qos
|
|
||||||
mutate:
|
|
||||||
patchStrategicMerge:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
# the wildcard * will match all containers in the list
|
|
||||||
- (name): "*"
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
# add memory limit if it is not exist
|
|
||||||
"+(memory)": "300Mi"
|
|
||||||
"+(cpu)": "100"
|
|
||||||
- name: check-cpu-memory-limits
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Deployment
|
|
||||||
selector :
|
|
||||||
matchLabels:
|
|
||||||
test: qos
|
|
||||||
validate:
|
|
||||||
message: "Resource limits are required for CPU and memory"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
# match all containers
|
|
||||||
- (name): "*"
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
# cpu and memory are required
|
|
||||||
memory: "?*"
|
|
||||||
cpu: "?*"
|
|
|
@ -1,18 +0,0 @@
|
||||||
apiVersion: "v1"
|
|
||||||
kind: "Pod"
|
|
||||||
metadata:
|
|
||||||
name: "image-with-hostpath"
|
|
||||||
labels:
|
|
||||||
app.type: "prod"
|
|
||||||
namespace: "my-namespace"
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: "image-with-hostpath"
|
|
||||||
image: "docker.io/nautiker/curl"
|
|
||||||
volumeMounts:
|
|
||||||
- name: "var-lib-etcd"
|
|
||||||
mountPath: "/var/lib"
|
|
||||||
volumes:
|
|
||||||
- name: "var-lib-etcd"
|
|
||||||
hostPath:
|
|
||||||
path: "/var/lib"
|
|
|
@ -1,17 +0,0 @@
|
||||||
apiVersion: "v1"
|
|
||||||
kind: "Pod"
|
|
||||||
metadata:
|
|
||||||
name: "image-with-hostpath"
|
|
||||||
labels:
|
|
||||||
app.type: "prod"
|
|
||||||
namespace: "my-namespace"
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: "image-with-hostpath"
|
|
||||||
image: "docker.io/nautiker/curl"
|
|
||||||
volumeMounts:
|
|
||||||
- name: "var-lib-etcd"
|
|
||||||
mountPath: "/var/lib"
|
|
||||||
volumes:
|
|
||||||
- name: "var-lib-etcd"
|
|
||||||
emptyDir: {}
|
|
|
@ -1,12 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Pod
|
|
||||||
metadata:
|
|
||||||
name: nginx-host-network
|
|
||||||
spec:
|
|
||||||
hostNetwork: false
|
|
||||||
containers:
|
|
||||||
- name: nginx-host-network
|
|
||||||
image: nginx
|
|
||||||
ports:
|
|
||||||
- containerPort: 80
|
|
||||||
hostPort: 80
|
|
|
@ -1,10 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Pod
|
|
||||||
metadata:
|
|
||||||
name: nginx-with-hostpid
|
|
||||||
spec:
|
|
||||||
hostPID: false
|
|
||||||
hostIPC: true
|
|
||||||
containers:
|
|
||||||
- name: nginx
|
|
||||||
image: nginx
|
|
|
@ -1,11 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Pod
|
|
||||||
metadata:
|
|
||||||
name: check-privileged-cfg
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: check-privileged-cfg
|
|
||||||
image: nginxinc/nginx-unprivileged
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: true
|
|
||||||
privileged: true
|
|
|
@ -1,14 +0,0 @@
|
||||||
apiVersion: networking.k8s.io/v1beta1
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: test-ingress
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/ingress.class: haproxy
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- http:
|
|
||||||
paths:
|
|
||||||
- path: /testpath
|
|
||||||
backend:
|
|
||||||
serviceName: test
|
|
||||||
servicePort: 80
|
|
|
@ -1,18 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Pod
|
|
||||||
metadata:
|
|
||||||
name: pod-with-default-volume
|
|
||||||
creationTimestamp: "2020-09-21T12:56:35Z"
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- image: registry.k8s.io/test-webserver
|
|
||||||
name: test-container
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
|
|
||||||
name: default-token-wkknl
|
|
||||||
readOnly: true
|
|
||||||
volumes:
|
|
||||||
- name: default-token-wkknl
|
|
||||||
secret:
|
|
||||||
defaultMode: 420
|
|
||||||
secretName: default-token-wkknl
|
|
|
@ -1,14 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Pod
|
|
||||||
metadata:
|
|
||||||
name: pod-with-emptydir
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- image: registry.k8s.io/test-webserver
|
|
||||||
name: test-container
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /cache
|
|
||||||
name: cache-volume
|
|
||||||
volumes:
|
|
||||||
- name: cache-volume
|
|
||||||
emptyDir: {}
|
|
|
@ -1,16 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Pod
|
|
||||||
metadata:
|
|
||||||
name: pod-with-hostpath
|
|
||||||
annotations:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- image: registry.k8s.io/test-webserver
|
|
||||||
name: test-container
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /tmp/foo
|
|
||||||
name: host-volume
|
|
||||||
volumes:
|
|
||||||
- name: host-volume
|
|
||||||
hostPath:
|
|
||||||
path: "/tmp/foo"
|
|
|
@ -1,4 +0,0 @@
|
||||||
kind: Namespace
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: "devtest"
|
|
|
@ -1,4 +0,0 @@
|
||||||
kind: Namespace
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: "test-namespace-quota"
|
|
|
@ -1,16 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Pod
|
|
||||||
metadata:
|
|
||||||
name: nginx
|
|
||||||
labels:
|
|
||||||
name: nginx
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: nginx
|
|
||||||
image: nginx
|
|
||||||
ports:
|
|
||||||
- containerPort: 80
|
|
||||||
securityContext:
|
|
||||||
sysctls:
|
|
||||||
- name: net.ipv4.ip_local_port_range
|
|
||||||
value: "50 65535"
|
|
|
@ -1,21 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/policy/mutate/policy_mutate_endpoint.yaml
|
|
||||||
resource: test/resources/resource_mutate_endpoint.yaml
|
|
||||||
expected:
|
|
||||||
mutation:
|
|
||||||
patchedresource: test/output/output_mutate_endpoint.yaml
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: policy-endpoints
|
|
||||||
resource:
|
|
||||||
kind: Endpoints
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: test-endpoint
|
|
||||||
rules:
|
|
||||||
- name: pEP
|
|
||||||
type: Mutation
|
|
||||||
status: pass
|
|
||||||
message: mutated Endpoints/test-endpoint
|
|
|
@ -1,20 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/policy/mutate/policy_mutate_pod_spec.yaml
|
|
||||||
resource: test/resources/resource_mutate_pod_spec.yaml
|
|
||||||
expected:
|
|
||||||
mutation:
|
|
||||||
patchedresource: test/output/output_mutate_pod_spec.yaml
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
name: mutate-pods-spec
|
|
||||||
resource:
|
|
||||||
kind: Deployment
|
|
||||||
apiVersion: apps/v1
|
|
||||||
namespace: test-foo-aaaaaaaaa-bbbbbbbb
|
|
||||||
name: nginx-deployment
|
|
||||||
rules:
|
|
||||||
- name: disable-servicelink-and-token
|
|
||||||
type: Mutation
|
|
||||||
status: pass
|
|
||||||
message: mutated Deployment/nginx-deployment in namespace test-foo-aaaaaaaaa-bbbbbbbb
|
|
|
@ -1,36 +0,0 @@
|
||||||
# file path is relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/policy/mutate/policy_mutate_validate_qos.yaml
|
|
||||||
resource: test/resources/resource_mutate_validate_qos.yaml
|
|
||||||
expected:
|
|
||||||
mutation:
|
|
||||||
patchedresource: test/output/output_mutate_validate_qos.yaml
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: policy-qos
|
|
||||||
resource:
|
|
||||||
kind: Deployment
|
|
||||||
apiVersion: apps/v1
|
|
||||||
namespace: ''
|
|
||||||
name: qos-demo
|
|
||||||
rules:
|
|
||||||
- name: add-memory-limit
|
|
||||||
type: Mutation
|
|
||||||
status: pass
|
|
||||||
message: mutated Deployment/qos-demo
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: policy-qos
|
|
||||||
resource:
|
|
||||||
kind: Deployment
|
|
||||||
apiVersion: apps/v1
|
|
||||||
namespace: ''
|
|
||||||
name: qos-demo
|
|
||||||
rules:
|
|
||||||
- name: check-cpu-memory-limits
|
|
||||||
type: Validation
|
|
||||||
message: validation rule 'check-cpu-memory-limits' passed.
|
|
||||||
status: pass
|
|
|
@ -1,21 +0,0 @@
|
||||||
|
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/policy/validate/policy_validate_default_proc_mount.yaml
|
|
||||||
resource: test/resources/resource_validate_default_proc_mount.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: validate-default-proc-mount
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: nginx-proc-mount
|
|
||||||
rules:
|
|
||||||
- name: validate-default-proc-mount
|
|
||||||
type: Validation
|
|
||||||
message: "validation rule 'validate-default-proc-mount' passed."
|
|
||||||
status: pass
|
|
|
@ -1,20 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/policy/validate/policy_validate_disallow_default_serviceaccount.yaml
|
|
||||||
resource: test/resources/resource_validate_disallow_default_serviceaccount.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: validate-disallow-default-serviceaccount
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: pod-with-default-sa
|
|
||||||
rules:
|
|
||||||
- name: prevent-mounting-default-serviceaccount
|
|
||||||
type: Validation
|
|
||||||
message: "validation error: Prevent mounting of default service account. rule prevent-mounting-default-serviceaccount failed at path /spec/serviceAccountName/"
|
|
||||||
status: fail
|
|
|
@ -1,24 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/policy/validate/policy_validate_healthChecks.yaml
|
|
||||||
resource: test/resources/resource_validate_healthChecks.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: check-probe-exists
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: probe
|
|
||||||
rules:
|
|
||||||
- name: check-readinessProbe-exists
|
|
||||||
type: Validation
|
|
||||||
message: validation rule 'check-readinessProbe-exists' passed.
|
|
||||||
status: pass
|
|
||||||
- name: check-livenessProbe-exists
|
|
||||||
type: Validation
|
|
||||||
message: validation rule 'check-livenessProbe-exists' passed.
|
|
||||||
status: pass
|
|
|
@ -1,20 +0,0 @@
|
||||||
|
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/policy/validate/policy_validate_selinux_context.yaml
|
|
||||||
resource: test/resources/resource_validate_selinux_context.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
name: validate-selinux-options
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: default
|
|
||||||
name: busybox-selinux
|
|
||||||
rules:
|
|
||||||
- name: validate-selinux-options
|
|
||||||
type: Validation
|
|
||||||
message: "validation error: SELinux level is required. rule validate-selinux-options failed at path /spec/containers/0/securityContext/seLinuxOptions/"
|
|
||||||
status: fail
|
|
|
@ -1,21 +0,0 @@
|
||||||
|
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/policy/validate/policy_validate_volume_whitelist.yaml
|
|
||||||
resource: test/resources/resource_validate_volume_whitelist.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: validate-volumes-whitelist
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: test-volumes
|
|
||||||
rules:
|
|
||||||
- name: validate-volumes-whitelist
|
|
||||||
type: Validation
|
|
||||||
message: "validation rule 'validate-volumes-whitelist' anyPattern[2] passed."
|
|
||||||
status: pass
|
|
|
@ -1,24 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/add_network_policy.yaml
|
|
||||||
resource: test/resources/require_default_network_policy.yaml
|
|
||||||
expected:
|
|
||||||
generation:
|
|
||||||
generatedResources:
|
|
||||||
- name: default-deny-ingress
|
|
||||||
kind: NetworkPolicy
|
|
||||||
namespace: devtest
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: add-networkpolicy
|
|
||||||
resource:
|
|
||||||
kind: Namespace
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: devtest
|
|
||||||
rules:
|
|
||||||
- name: default-deny-ingress
|
|
||||||
type: Generation
|
|
||||||
status: pass
|
|
||||||
message: created resource NetworkPolicy/devtest/default-deny-ingress
|
|
|
@ -1,26 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/add_ns_quota.yaml
|
|
||||||
resource: test/resources/require_namespace_quota.yaml
|
|
||||||
expected:
|
|
||||||
generation:
|
|
||||||
generatedResources:
|
|
||||||
- name: default-resourcequota
|
|
||||||
kind: ResourceQuota
|
|
||||||
namespace: test-namespace-quota
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: add-ns-quota
|
|
||||||
resource:
|
|
||||||
kind: Namespace
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: test-namespace-quota
|
|
||||||
rules:
|
|
||||||
- name: generate-resourcequota
|
|
||||||
type: Generation
|
|
||||||
status: pass
|
|
||||||
- name: generate-limitrange
|
|
||||||
type: Generation
|
|
||||||
status: pass
|
|
|
@ -1,25 +0,0 @@
|
||||||
# file path is relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/add_safe_to_evict.yaml
|
|
||||||
resource: test/resources/pod-with-emptydir.yaml
|
|
||||||
expected:
|
|
||||||
mutation:
|
|
||||||
patchedresource: test/output/pod-with-emptydir.yaml
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: add-safe-to-evict
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: pod-with-emptydir
|
|
||||||
rules:
|
|
||||||
- name: annotate-empty-dir
|
|
||||||
type: Mutation
|
|
||||||
status: pass
|
|
||||||
message: "mutated Pod/pod-with-emptydir"
|
|
||||||
- name: annotate-host-path
|
|
||||||
type: Mutation
|
|
||||||
status: skip
|
|
||||||
message: "no patches applied"
|
|
|
@ -1,25 +0,0 @@
|
||||||
# file path is relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/add_safe_to_evict.yaml
|
|
||||||
resource: test/resources/pod-with-hostpath.yaml
|
|
||||||
expected:
|
|
||||||
mutation:
|
|
||||||
patchedresource: test/output/pod-with-hostpath.yaml
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: add-safe-to-evict
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: pod-with-hostpath
|
|
||||||
rules:
|
|
||||||
- name: annotate-empty-dir
|
|
||||||
type: Mutation
|
|
||||||
status: skip
|
|
||||||
message: "no patches applied"
|
|
||||||
- name: annotate-host-path
|
|
||||||
type: Mutation
|
|
||||||
status: pass
|
|
||||||
message: "mutated Pod/pod-with-hostpath"
|
|
|
@ -1,27 +0,0 @@
|
||||||
# file path is relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/add_safe_to_evict.yaml
|
|
||||||
resource: test/resources/pod-with-default-volume.yaml
|
|
||||||
expected:
|
|
||||||
mutation:
|
|
||||||
patchedresource: test/output/pod-with-default-volume.yaml
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: add-safe-to-evict
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: pod-with-default-volume
|
|
||||||
rules:
|
|
||||||
- name: annotate-empty-dir
|
|
||||||
type: Mutation
|
|
||||||
status: skip
|
|
||||||
message: "no patches applied"
|
|
||||||
- name: annotate-host-path
|
|
||||||
type: Mutation
|
|
||||||
status: skip
|
|
||||||
message: "no patches applied"
|
|
||||||
|
|
||||||
|
|
|
@ -1,20 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/disallow_bind_mounts.yaml
|
|
||||||
resource: test/resources/disallow_host_filesystem.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: disallow-bind-mounts
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: image-with-hostpath
|
|
||||||
rules:
|
|
||||||
- name: validate-hostPath
|
|
||||||
message: "validation error: Host path volumes are not allowed. rule validate-hostPath failed at path /spec/volumes/0/hostPath/"
|
|
||||||
type: Validation
|
|
||||||
status: fail
|
|
|
@ -1,19 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/disallow_bind_mounts.yaml
|
|
||||||
resource: test/resources/disallow_host_filesystem_pass.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: disallow-bind-mounts
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: image-with-hostpath
|
|
||||||
rules:
|
|
||||||
- name: validate-hostPath
|
|
||||||
type: Validation
|
|
||||||
status: pass
|
|
|
@ -1,22 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/disallow_host_network_port.yaml
|
|
||||||
resource: test/resources/disallow_host_network_hostport.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: disallow-host-network-port
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: "nginx-host-network"
|
|
||||||
rules:
|
|
||||||
- name: validate-host-network
|
|
||||||
type: Validation
|
|
||||||
status: pass
|
|
||||||
- name: validate-host-port
|
|
||||||
type: Validation
|
|
||||||
status: fail
|
|
|
@ -1,19 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/disallow_host_pid_ipc.yaml
|
|
||||||
resource: test/resources/disallow_hostpid_hostipc.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: disallow-host-pid-ipc
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: "nginx-with-hostpid"
|
|
||||||
rules:
|
|
||||||
- name: validate-hostPID-hostIPC
|
|
||||||
type: Validation
|
|
||||||
status: fail
|
|
|
@ -1,22 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/disallow_privileged.yaml
|
|
||||||
resource: test/resources/disallow_privileged.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: disallow-privileged
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: check-privileged-cfg
|
|
||||||
rules:
|
|
||||||
- name: validate-privileged
|
|
||||||
type: Validation
|
|
||||||
status: fail
|
|
||||||
- name: validate-allowPrivilegeEscalation
|
|
||||||
type: Validation
|
|
||||||
status: fail
|
|
|
@ -1,20 +0,0 @@
|
||||||
|
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/best_practices/disallow_sysctls.yaml
|
|
||||||
resource: test/resources/resource_validate_sysctl_configs.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: disallow-sysctls
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: nginx
|
|
||||||
rules:
|
|
||||||
- name: validate-sysctls
|
|
||||||
type: Validation
|
|
||||||
status: fail
|
|
|
@ -1,19 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/more/restrict_automount_sa_token.yaml
|
|
||||||
resource: test/resources/disallow_automountingapicred.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: restrict-automount-sa-token
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: myapp-pod
|
|
||||||
rules:
|
|
||||||
- name: validate-automountServiceAccountToken
|
|
||||||
type: Validation
|
|
||||||
status: pass
|
|
|
@ -1,19 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/more/restrict_ingress_classes.yaml
|
|
||||||
resource: test/resources/ingress-nginx.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: restrict-ingress-classes
|
|
||||||
resource:
|
|
||||||
kind: Ingress
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: test-ingress
|
|
||||||
rules:
|
|
||||||
- name: validate-ingress
|
|
||||||
type: Validation
|
|
||||||
status: pass
|
|
|
@ -1,19 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/more/restrict_ingress_classes.yaml
|
|
||||||
resource: test/resources/ingress-haproxy.yaml
|
|
||||||
expected:
|
|
||||||
validation:
|
|
||||||
policyresponse:
|
|
||||||
policy:
|
|
||||||
namespace: ''
|
|
||||||
name: restrict-ingress-classes
|
|
||||||
resource:
|
|
||||||
kind: Ingress
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: test-ingress
|
|
||||||
rules:
|
|
||||||
- name: validate-ingress
|
|
||||||
type: Validation
|
|
||||||
status: fail
|
|
Loading…
Add table
Reference in a new issue