- add policy and test for known ingress

- fix messages and remove unnecessary comments in testrunner/scenario.go

pkg/testrunner/scenario.go

@@ -134,25 +134,21 @@ func runScenario(t *testing.T, s *scenarioT) bool {
 }
 
 func runTestCase(t *testing.T, tc scaseT) bool {
-
-	// apply policy
-	// convert policy -> kyverno.Policy
 	policy := loadPolicy(t, tc.Input.Policy)
 	if policy == nil {
-		t.Error("Policy no loaded")
+		t.Error("Policy not loaded")
 		t.FailNow()
 	}
-	// convert resource -> unstructured.Unstructured
+
 	resource := loadPolicyResource(t, tc.Input.Resource)
 	if resource == nil {
-		t.Error("Resources no loaded")
+		t.Error("Resources not loaded")
 		t.FailNow()
 	}
 
 	var er engine.EngineResponse
-	// Mutation
+
 	er = engine.Mutate(*policy, *resource)
-	// validate te response
 	t.Log("---Mutation---")
 	validateResource(t, er.PatchedResource, tc.Expected.Mutation.PatchedResource)
 	validateResponse(t, er.PolicyResponse, tc.Expected.Mutation.PolicyResponse)
@@ -162,9 +158,7 @@ func runTestCase(t *testing.T, tc scaseT) bool {
 		resource = &er.PatchedResource
 	}
 
-	// Validation
 	er = engine.Validate(*policy, *resource)
-	// validate the response
 	t.Log("---Validation---")
 	validateResponse(t, er.PolicyResponse, tc.Expected.Validation.PolicyResponse)
 

pkg/testrunner/testrunner_test.go

@@ -134,3 +134,11 @@ func Test_add_safe_to_evict_annotation(t *testing.T) {
 func Test_add_safe_to_evict_annotation2(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict2.yaml")
 }
+
+func Test_known_ingress(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_known_ingress_class.yaml")
+}
+
+func Test_unknown_ingress(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_unknown_ingress_class.yaml")
+}

samples/DisallowUnknownRegistries.md

@@ -21,10 +21,9 @@ spec:
         kinds:
         - Pod
     validate:
-      message: "Deny untrusted registries"
+      message: "Unknown image registry"
       pattern:
         spec:
           containers:
           - image: "k8s.gcr.io/* | gcr.io/*"
-
 ````

samples/KnownIngressClass.md

@@ -0,0 +1,32 @@
+# Require a known ingress class
+
+It can be useful to restrict Ingress resources to use a known ingress class that are allowed in the cluster.
+
+You can customize this policy to allow ingress classes that are configured in the cluster.
+
+## Policy YAML 
+
+[known_ingress.yaml](best_practices/known_ingress.yaml) 
+
+````yaml
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: known-ingress
+  annotations:
+    policies.kyverno.io/category: Ingress
+    policies.kyverno.io/description: 
+spec:
+  rules:
+  - name: known-ingress
+    match:
+      resources:
+        kinds:
+        - Ingress
+    validate:
+      message: "Unknown ingress class"
+      pattern:
+        metadata:
+          annotations:
+            kubernetes.io/ingress.class: "F5 | nginx"
+````

samples/README.md

@@ -39,7 +39,7 @@ These policies are highly recommended.
 1. [Run as non-root user](RunAsNonRootUser.md)
 2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)
 3. [Disallow new capabilities](DisallowNewCapabilities.md)
-4. [Require Read-only root filesystem](RequireReadOnlyFS.md)
+4. [Require read-only root filesystem](RequireReadOnlyFS.md)
 5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
 6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
 7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
@@ -62,6 +62,4 @@ The policies provide additional best practices and are worthy of close considera
 19. [Limit automount of Service Account credentials](DisallowAutomountSACredentials.md)
 20. [Configure Linux Capabilities](AssignLinuxCapabilities.md)
 21. [Limit Kernel parameter access](ConfigureKernelParmeters.md)
-
-
-
+22. [Restrict ingress class](KnownIngressClass.md)

samples/best_practices/known_ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: known-ingress
+  annotations:
+    policies.kyverno.io/category: Ingress
+    policies.kyverno.io/description: 
+spec:
+  rules:
+  - name: known-ingress
+    match:
+      resources:
+        kinds:
+        - Ingress
+    validate:
+      message: "Unknown ingress class"
+      pattern:
+        metadata:
+          annotations:
+            kubernetes.io/ingress.class: "F5 | nginx"

test/resources/ingress-haproxy.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: test-ingress
+  annotations:
+    kubernetes.io/ingress.class: haproxy
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /testpath
+        backend:
+          serviceName: test
+          servicePort: 80

test/resources/ingress-nginx.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: test-ingress
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /testpath
+        backend:
+          serviceName: test
+          servicePort: 80

test/scenarios/samples/best_practices/scenario_validate_known_ingress_class.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/known_ingress.yaml
+  resource: test/resources/ingress-nginx.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: known-ingress
+      resource:
+        kind: Ingress
+        apiVersion: v1
+        namespace: ''
+        name: test-ingress
+      rules:
+        - name: known-ingress
+          type: Validation
+          message: Validation rule 'known-ingress' succesfully validated
+          success: true

test/scenarios/samples/best_practices/scenario_validate_unknown_ingress_class.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/known_ingress.yaml
+  resource: test/resources/ingress-haproxy.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: known-ingress
+      resource:
+        kind: Ingress
+        apiVersion: v1
+        namespace: ''
+        name: test-ingress
+      rules:
+        - name: known-ingress
+          type: Validation
+          message: Validation rule 'known-ingress' failed at '/metadata/annotations/kubernetes.io/ingress.class/' for resource Ingress//test-ingress. Unknown ingress class.
+          success: false