From 0c09ba53eb0707b4f0149a358d2e1decd93e6d43 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Fri, 4 Oct 2019 17:48:57 -0700 Subject: [PATCH] best-practice: validate default proc mount --- examples/best_practices/README.md | 5 +++-- .../policy_validate_default_proc_mount.yaml | 19 +++++++++++++++++++ .../policy_validate_selinux_context.yaml | 4 ++-- .../resource_validate_default_proc_mount.yaml | 12 ++++++++++++ pkg/testrunner/testrunner_test.go | 4 ++++ .../scenario_validate_default_proc_mount.yaml | 19 +++++++++++++++++++ .../scenario_validate_selinux_context.yaml | 2 +- 7 files changed, 60 insertions(+), 5 deletions(-) create mode 100644 examples/best_practices/policy_validate_default_proc_mount.yaml create mode 100644 examples/best_practices/resources/resource_validate_default_proc_mount.yaml create mode 100644 test/scenarios/test/scenario_validate_default_proc_mount.yaml diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md index 5f852c0aa6..288da8c1b2 100644 --- a/examples/best_practices/README.md +++ b/examples/best_practices/README.md @@ -19,5 +19,6 @@ | Prevent mounting of default service account | [policy_validate_disallow_default_serviceaccount.yaml](policy_validate_disallow_default_serviceaccount.yaml) | | Require a default network policy | [policy_validate_default_network_policy.yaml](policy_validate_default_network_policy.yaml) | | Require namespace quotas and limit ranges | [policy_validate_namespace_quota.yaml](policy_validate_namespace_quota.yaml) | -| Require an FSGroup that owns the pod's volumes | [policy_validate_fsgroup.yaml](policy_validate_fsgroup.yaml) | -| Require the SELinux level of the container | [policy_validate_selinux_context.yaml](policy_validate_selinux_context.yaml) | \ No newline at end of file +| Allow an FSGroup that owns the pod's volumes | [policy_validate_fsgroup.yaml](policy_validate_fsgroup.yaml) | +| Require SELinux level of the container | [policy_validate_selinux_context.yaml](policy_validate_selinux_context.yaml) | +| Allow default Proc Mount type | [policy_validate_default_proc_mount.yaml](policy_validate_default_proc_mount.yaml) | \ No newline at end of file diff --git a/examples/best_practices/policy_validate_default_proc_mount.yaml b/examples/best_practices/policy_validate_default_proc_mount.yaml new file mode 100644 index 0000000000..fba0d100c5 --- /dev/null +++ b/examples/best_practices/policy_validate_default_proc_mount.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-default-proc-mount +spec: + validationFailureAction: "audit" + rules: + - name: validate-default-proc-mount + match: + resources: + kinds: + - Pod + validate: + message: "Default proc mount should set to Unmasked" + pattern: + spec: + containers: + - securityContext: + procMount: Unmasked diff --git a/examples/best_practices/policy_validate_selinux_context.yaml b/examples/best_practices/policy_validate_selinux_context.yaml index 39ee1bece6..0b4035adb0 100644 --- a/examples/best_practices/policy_validate_selinux_context.yaml +++ b/examples/best_practices/policy_validate_selinux_context.yaml @@ -11,10 +11,10 @@ spec: kinds: - Pod validate: - message: "SELinux level should be set to s0:c123,c456" + message: "SELinux level is required" pattern: spec: containers: - securityContext: seLinuxOptions: - level: "s0:c123,c456" + level: "*" diff --git a/examples/best_practices/resources/resource_validate_default_proc_mount.yaml b/examples/best_practices/resources/resource_validate_default_proc_mount.yaml new file mode 100644 index 0000000000..db33c25a04 --- /dev/null +++ b/examples/best_practices/resources/resource_validate_default_proc_mount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-proc-mount + labels: + app: nginx-proc-mount +spec: + containers: + - name: nginx + image: nginx + securityContext: + procMount: Unmasked #Default \ No newline at end of file diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index e41db3c445..56d4f6f3ef 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -119,3 +119,7 @@ func Test_validate_fsgroup(t *testing.T) { func Test_validate_selinux_context(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_selinux_context.yaml") } + +func Test_validate_proc_mount(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_default_proc_mount.yaml") +} diff --git a/test/scenarios/test/scenario_validate_default_proc_mount.yaml b/test/scenarios/test/scenario_validate_default_proc_mount.yaml new file mode 100644 index 0000000000..568894c35c --- /dev/null +++ b/test/scenarios/test/scenario_validate_default_proc_mount.yaml @@ -0,0 +1,19 @@ + +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_default_proc_mount.yaml + resource: examples/best_practices/resources/resource_validate_default_proc_mount.yaml +expected: + validation: + policyresponse: + policy: validate-default-proc-mount + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: nginx-proc-mount + rules: + - name: validate-default-proc-mount + type: Validation + message: "Validation rule 'validate-default-proc-mount' succesfully validated" + success: true \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_selinux_context.yaml b/test/scenarios/test/scenario_validate_selinux_context.yaml index aa729edef4..cd567e6d21 100644 --- a/test/scenarios/test/scenario_validate_selinux_context.yaml +++ b/test/scenarios/test/scenario_validate_selinux_context.yaml @@ -15,5 +15,5 @@ expected: rules: - name: validate-selinux-options type: Validation - message: "Validation rule 'validate-selinux-options' failed at '/spec/containers/0/securityContext/seLinuxOptions/level/' for resource Pod/default/busybox-selinux. SELinux level should be set to s0:c123,c456" + message: "Validation rule 'validate-selinux-options' failed at '/spec/containers/0/securityContext/seLinuxOptions/' for resource Pod/default/busybox-selinux. SELinux level is required" success: false \ No newline at end of file