fix: add podSecurity validation checks for exceptions (#9817)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2024-12-15 17:51:20 +00:00 · 2024-02-28 10:21:10 +02:00 · 2024-02-28 10:21:10 +02:00 · 07a6bf42f5
commit 07a6bf42f5
parent 511df7a466
9 changed files with 135 additions and 30 deletions
--- a/api/kyverno/v1/common_types.go
+++ b/api/kyverno/v1/common_types.go
@ -5,6 +5,7 @@ import (
 	"fmt"

 	"github.com/kyverno/kyverno/pkg/engine/variables/regex"
+	"github.com/kyverno/kyverno/pkg/pss/utils"
 	"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
 	admissionv1 "k8s.io/api/admission/v1"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@ -469,6 +470,28 @@ type PodSecurityStandard struct {
 	Values []string `json:"values,omitempty" yaml:"values,omitempty"`
 }

+func (pss *PodSecurityStandard) Validate(path *field.Path) (errs field.ErrorList) {
+	// container level control must specify images
+	if containsString(utils.PSS_container_level_control, pss.ControlName) {
+		if len(pss.Images) == 0 {
+			errs = append(errs, field.Invalid(path.Child("controlName"), pss.ControlName, "exclude.images must be specified for the container level control"))
+		}
+	} else if containsString(utils.PSS_pod_level_control, pss.ControlName) {
+		if len(pss.Images) != 0 {
+			errs = append(errs, field.Invalid(path.Child("controlName"), pss.ControlName, "exclude.images must not be specified for the pod level control"))
+		}
+	}
+
+	if pss.RestrictedField != "" && len(pss.Values) == 0 {
+		errs = append(errs, field.Forbidden(path.Child("values"), "values is required"))
+	}
+
+	if pss.RestrictedField == "" && len(pss.Values) != 0 {
+		errs = append(errs, field.Forbidden(path.Child("restrictedField"), "restrictedField is required"))
+	}
+	return errs
+}
+
 // CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
 type CEL struct {
 	// Expressions is a list of CELExpression types.
--- a/api/kyverno/v1/rule_types.go
+++ b/api/kyverno/v1/rule_types.go
@ -396,16 +396,7 @@ func (r *Rule) ValidatePSaControlNames(path *field.Path) (errs field.ErrorList)
 		}

 		for idx, exclude := range podSecurity.Exclude {
-			// container level control must specify images
-			if containsString(utils.PSS_container_level_control, exclude.ControlName) {
-				if len(exclude.Images) == 0 {
-					errs = append(errs, field.Invalid(path.Child("podSecurity").Child("exclude").Index(idx).Child("controlName"), exclude.ControlName, "exclude.images must be specified for the container level control"))
-				}
-			} else if containsString(utils.PSS_pod_level_control, exclude.ControlName) {
-				if len(exclude.Images) != 0 {
-					errs = append(errs, field.Invalid(path.Child("podSecurity").Child("exclude").Index(idx).Child("controlName"), exclude.ControlName, "exclude.images must not be specified for the pod level control"))
-				}
-			}
+			errs = append(errs, exclude.Validate(path.Child("podSecurity").Child("exclude").Index(idx))...)

 			if containsString([]string{"Seccomp", "Capabilities"}, exclude.ControlName) {
 				continue
--- a/api/kyverno/v2beta1/policy_exception_types.go
+++ b/api/kyverno/v2beta1/policy_exception_types.go
@ -100,6 +100,11 @@ func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList)
 	for i, e := range p.Exceptions {
 		errs = append(errs, e.Validate(exceptionsPath.Index(i))...)
 	}
+
+	podSecuityPath := path.Child("podSecurity")
+	for i, p := range p.PodSecurity {
+		errs = append(errs, p.Validate(podSecuityPath.Index(i))...)
+	}
 	return errs
 }

--- a/pkg/policy/validate/validate.go
+++ b/pkg/policy/validate/validate.go
@ -68,20 +68,6 @@ func (v *Validate) Validate(ctx context.Context) (string, error) {
 		}
 	}

-	if v.rule.PodSecurity != nil {
-		if len(v.rule.PodSecurity.Exclude) != 0 {
-			for _, exclude := range v.rule.PodSecurity.Exclude {
-				if exclude.RestrictedField != "" && len(exclude.Values) == 0 {
-					return "", fmt.Errorf("podSecurity.exclude.values is required")
-				}
-
-				if exclude.RestrictedField == "" && len(exclude.Values) != 0 {
-					return "", fmt.Errorf("podSecurity.exclude.restrictedField is required")
-				}
-			}
-		}
-	}
-
 	if v.rule.CEL != nil {
 		for _, expression := range v.rule.CEL.Expressions {
 			if expression.Expression == "" {
--- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/chainsaw-test.yaml
@ -0,0 +1,34 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: invalid-pod-security-exceptions
+spec:
+  steps:
+  - name: Apply the first policy exception
+    try:
+    - script:
+        content: kubectl apply -f exception-1.yaml
+        check:
+          ($error != null): true
+          # This check ensures the contents of stderr are exactly as shown.  
+          ($stderr): |-
+            Error from server: error when creating "exception-1.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: [spec.podSecurity[0].controlName: Invalid value: "Capabilities": exclude.images must be specified for the container level control, spec.podSecurity[3].controlName: Invalid value: "Privilege Escalation": exclude.images must be specified for the container level control]
+  - name: Apply the second policy exception
+    try:
+    - script:
+        content: kubectl apply -f exception-2.yaml
+        check:
+          ($error != null): true
+          # This check ensures the contents of stderr are exactly as shown.  
+          ($stderr): |-
+            Error from server: error when creating "exception-2.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: spec.podSecurity[0].values: Forbidden: values is required
+  - name: Apply the third policy exception
+    try:
+    - script:
+        content: kubectl apply -f exception-3.yaml
+        check:
+          ($error != null): true
+          # This check ensures the contents of stderr are exactly as shown.  
+          ($stderr): |-
+            Error from server: error when creating "exception-3.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: spec.podSecurity[0].restrictedField: Forbidden: restrictedField is required
--- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/exception-1.yaml
+++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/exception-1.yaml
@ -0,0 +1,23 @@
+apiVersion: kyverno.io/v2
+kind: PolicyException
+metadata:
+  creationTimestamp: null
+  name: exception-1
+spec:
+  exceptions:
+  - policyName: psa
+    ruleNames:
+    - restricted
+  match:
+    all:
+    - resources:
+        kinds:
+        - Pod
+  podSecurity:
+  - controlName: Capabilities
+  - controlName: Host Namespaces
+  - controlName: HostPath Volumes
+  - controlName: Privilege Escalation
+  - controlName: Running as Non-root
+  - controlName: Seccomp
+  - controlName: Volume Types
--- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/exception-2.yaml
+++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/exception-2.yaml
@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v2
+kind: PolicyException
+metadata:
+  creationTimestamp: null
+  name: exception-2
+spec:
+  exceptions:
+  - policyName: psa
+    ruleNames:
+    - restricted
+  match:
+    all:
+    - resources:
+        kinds:
+        - Pod
+  podSecurity:
+  - controlName: "/proc Mount Type"
+    images:
+    - nginx
+    restrictedField: "spec.containers[*].securityContext.procMount"
--- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/exception-3.yaml
+++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/exception-3.yaml
@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v2
+kind: PolicyException
+metadata:
+  creationTimestamp: null
+  name: exception-3
+spec:
+  exceptions:
+  - policyName: psa
+    ruleNames:
+    - restricted
+  match:
+    all:
+    - resources:
+        kinds:
+        - Pod
+  podSecurity:
+  - controlName: "/proc Mount Type"
+    images:
+    - nginx
+    values:
+    - "bar"
--- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/chainsaw-test.yaml
@ -10,14 +10,16 @@ spec:
    - script:
        content: kubectl apply -f policy-1.yaml
        check:
-          # This check ensures that the string "undefined field 'automountServiceAccountToken';" is found
-          # in stderr or else fails
-          (contains($stderr, 'podSecurity.exclude.values is required')): true
+          ($error != null): true
+          # This check ensures the contents of stderr are exactly as shown.  
+          ($stderr): |-
+            Error from server: error when creating "policy-1.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: spec.rules[0].podSecurity.exclude[0].values: Forbidden: values is required
  - name: Apply the second policy
    try:
    - script:
        content: kubectl apply -f policy-2.yaml
        check:
-          # This check ensures that the string "podSecurity.exclude.restrictedField is required" is found
-          # in stderr or else fails
-          (contains($stderr, 'podSecurity.exclude.restrictedField is required')): true
+          ($error != null): true
+          # This check ensures the contents of stderr are exactly as shown.  
+          ($stderr): |-
+            Error from server: error when creating "policy-2.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: spec.rules[0].podSecurity.exclude[0].restrictedField: Forbidden: restrictedField is required