diff --git a/definitions/install.yaml b/definitions/install.yaml index 7b44e59dc8..f076a730c7 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -184,7 +184,7 @@ spec: containers: - name: kyverno image: nirmata/kyverno:latest - args: ["--filterKind","Nodes,Events,APIService,SubjectAccessReview"] + args: ["--filterKind","Node,Event,APIService,Policy,TokenReview,SubjectAccessReview"] ports: - containerPort: 443 securityContext: diff --git a/examples/demo/1_image_pull_policy/nginx.yaml b/examples/demo/1_image_pull_policy/nginx.yaml new file mode 100644 index 0000000000..c3bdbed5d6 --- /dev/null +++ b/examples/demo/1_image_pull_policy/nginx.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx + cli: test +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:latest + # imagePullPolicy: IfNotPresent diff --git a/examples/demo/1_image_pull_policy/policy.yaml b/examples/demo/1_image_pull_policy/policy.yaml new file mode 100644 index 0000000000..6da37a961e --- /dev/null +++ b/examples/demo/1_image_pull_policy/policy.yaml @@ -0,0 +1,26 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: image-pull-policy +spec: + rules: + - name: image-pull-policy + resource: + kinds: + - Deployment + # - StatefulSet + # name: "my-deployment" + # selector : + # matchLabels: + # app.type: prod + # namespace: "my-namespace" + mutate: + overlay: + spec: + template: + spec: + containers: + # select images which end with :latest + - (image): "*latest" + # require that the imagePullPolicy is "IfNotPresent" + imagePullPolicy: IfNotPresent diff --git a/examples/demo/2_allowed_registry/nginx.yaml b/examples/demo/2_allowed_registry/nginx.yaml new file mode 100644 index 0000000000..a0329d80f4 --- /dev/null +++ b/examples/demo/2_allowed_registry/nginx.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx + cli: test +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + # image: nginx + image: nirmata/nginx diff --git a/examples/demo/2_allowed_registry/policy.yaml b/examples/demo/2_allowed_registry/policy.yaml new file mode 100644 index 0000000000..4964e434d9 --- /dev/null +++ b/examples/demo/2_allowed_registry/policy.yaml @@ -0,0 +1,22 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: check-registries +spec: + rules: + - name: check-registries + resource: + kinds: + - Deployment + - StatefulSet + namespace: default + validate: + message: "Registry is not allowed" + pattern: + spec: + template: + spec: + containers: + - name: "*" + # Check allowed registries + image: "*nirmata* | https://private.registry.io/*" diff --git a/examples/demo/generate/namespace.yaml b/examples/demo/3_network_policy/namespace.yaml similarity index 100% rename from examples/demo/generate/namespace.yaml rename to examples/demo/3_network_policy/namespace.yaml diff --git a/examples/demo/generate/policy.yaml b/examples/demo/3_network_policy/policy.yaml similarity index 70% rename from examples/demo/generate/policy.yaml rename to examples/demo/3_network_policy/policy.yaml index ed2465c7fd..c68090abf6 100644 --- a/examples/demo/generate/policy.yaml +++ b/examples/demo/3_network_policy/policy.yaml @@ -8,7 +8,7 @@ spec: resource: kinds: - Namespace - name: "*" + name: "devtest" generate: kind: NetworkPolicy name: deny-ingress-traffic @@ -22,4 +22,9 @@ spec: metadata: annotations: {} labels: - policyname: "default" \ No newline at end of file + policyname: "default" + # kind: ConfigMap + # name: default-config + # clone: + # namespace: default + # name: config-template \ No newline at end of file diff --git a/examples/demo/4_non_root/nginx.yaml b/examples/demo/4_non_root/nginx.yaml new file mode 100644 index 0000000000..41c00d3066 --- /dev/null +++ b/examples/demo/4_non_root/nginx.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: psp-demo-unprivileged + labels: + app.type: prod +spec: + replicas: 1 + selector: + matchLabels: + app: psp + template: + metadata: + labels: + app: psp + spec: + securityContext: + runAsNonRoot: true + containers: + - name: sec-ctx-unprivileged + image: nginxinc/nginx-unprivileged diff --git a/examples/demo/4_non_root/policy.yaml b/examples/demo/4_non_root/policy.yaml new file mode 100644 index 0000000000..3ea11b319e --- /dev/null +++ b/examples/demo/4_non_root/policy.yaml @@ -0,0 +1,21 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: policy-security-context +spec: + rules: + - name: validate-runAsNonRoot + resource: + kinds: + - Deployment + selector : + matchLabels: + app.type: prod + validate: + message: "security context 'runAsNonRoot' shoud be set to true" + pattern: + spec: + template: + spec: + securityContext: + runAsNonRoot: true \ No newline at end of file diff --git a/examples/demo/5_health_check/pod.yaml b/examples/demo/5_health_check/pod.yaml new file mode 100644 index 0000000000..f5f0004d3a --- /dev/null +++ b/examples/demo/5_health_check/pod.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + test: probe + name: probe +spec: + containers: + - name: readiness + image: k8s.gcr.io/busybox + args: + - /bin/sh + - -c + - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600 + readinessProbe: + # successThreshold: 3 + exec: + command: + - cat + - /tmp/healthy + - name: liveness + image: k8s.gcr.io/liveness + args: + - /server + livenessProbe: + httpGet: + path: /healthz + port: 8080 + httpHeaders: + - name: Custom-Header + value: Awesome + periodSeconds: 3 \ No newline at end of file diff --git a/examples/demo/5_health_check/policy.yaml b/examples/demo/5_health_check/policy.yaml new file mode 100644 index 0000000000..0550b16fe6 --- /dev/null +++ b/examples/demo/5_health_check/policy.yaml @@ -0,0 +1,33 @@ +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name: check-probe-exists +spec: + rules: + - name: check-readinessProbe-exists + resource: + kinds : + - Pod + validate: + message: "readinessProbe is required" + pattern: + spec: + containers: + - (name): "readiness" + readinessProbe: + successThreshold: ">1" + - name: check-livenessProbe-exists + resource: + kinds : + - Pod + validate: + message: "livenessProbe is required" + pattern: + spec: + containers: + - (name): "liveness" + livenessProbe: + httpGet: + path: "?*" + port: "*" + scheme: "?*" diff --git a/examples/demo/qos/policy_qos.yaml b/examples/demo/6_qos/policy_qos.yaml similarity index 100% rename from examples/demo/qos/policy_qos.yaml rename to examples/demo/6_qos/policy_qos.yaml diff --git a/examples/demo/qos/qos.yaml b/examples/demo/6_qos/qos.yaml similarity index 92% rename from examples/demo/qos/qos.yaml rename to examples/demo/6_qos/qos.yaml index c81b65b0e5..d998bdfbc3 100644 --- a/examples/demo/qos/qos.yaml +++ b/examples/demo/6_qos/qos.yaml @@ -17,4 +17,4 @@ spec: image: nginx:latest resources: limits: - cpu: "50m" \ No newline at end of file + cpu: "50m" diff --git a/examples/demo/7_container_security_context/nginx.yaml b/examples/demo/7_container_security_context/nginx.yaml new file mode 100755 index 0000000000..811f167bac --- /dev/null +++ b/examples/demo/7_container_security_context/nginx.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: psp-demo-unprivileged + labels: + app.type: prod +spec: + replicas: 1 + selector: + matchLabels: + app: psp + template: + metadata: + labels: + app: psp + spec: + containers: + - name: sec-ctx-unprivileged + image: nginxinc/nginx-unprivileged + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: true diff --git a/examples/demo/7_container_security_context/policy.yaml b/examples/demo/7_container_security_context/policy.yaml new file mode 100755 index 0000000000..fc434ec0dc --- /dev/null +++ b/examples/demo/7_container_security_context/policy.yaml @@ -0,0 +1,26 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: container-security-context +spec: + rules: + - name: validate-user-privilege + resource: + kinds: + - Deployment + selector : + matchLabels: + app.type: prod + validate: + message: "validate container security contexts" + pattern: + spec: + template: + spec: + containers: + - securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + # fields can be customized + # privileged: false + # readOnlyRootFilesystem: true \ No newline at end of file diff --git a/examples/demo/mutate_patch/ep.yaml b/examples/demo/mutate_patch/ep.yaml deleted file mode 100644 index f932126c22..0000000000 --- a/examples/demo/mutate_patch/ep.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Endpoints -metadata: - name: demo-endpoint - labels: - label : test -subsets: -- addresses: - - ip: 192.168.10.171 - ports: - - name: secure-connection - port: 443 - protocol: TCP diff --git a/examples/demo/mutate_patch/policy_patch.yaml b/examples/demo/mutate_patch/policy_patch.yaml deleted file mode 100644 index 6ef8e9f0c7..0000000000 --- a/examples/demo/mutate_patch/policy_patch.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion : kyverno.io/v1alpha1 -kind : Policy -metadata : - name : policy-endpoints -spec : - rules: - - name: demo-ep - resource: - kinds : - - Endpoints - selector: - matchLabels: - label : test - name: demo-endpoint - mutate: - patches: - # add a new label - - path: /metadata/labels/app.type - op: add - value: dev - # replace port - - path : /subsets/0/ports/0/port - op : replace - value: 9663 \ No newline at end of file diff --git a/pkg/engine/overlay_new.go b/pkg/engine/overlay_new.go new file mode 100755 index 0000000000..8f807212f1 --- /dev/null +++ b/pkg/engine/overlay_new.go @@ -0,0 +1,70 @@ +package engine + +import ( + "reflect" +) + +// func processoverlay(rule kubepolicy.Rule, rawResource []byte, gvk metav1.GroupVersionKind) ([][]byte, error) { + +// var resource interface{} +// var appliedPatches [][]byte +// err := json.Unmarshal(rawResource, &resource) +// if err != nil { +// return nil, err +// } + +// patches, err := mutateResourceWithOverlay(resource, *rule.Mutation.Overlay) +// if err != nil { +// return nil, err +// } +// appliedPatches = append(appliedPatches, patches...) + +// return appliedPatches, err +// } + +func applyoverlay(resource, overlay interface{}, path string) ([][]byte, error) { + var appliedPatches [][]byte + // resource item exists but has different type - replace + // all subtree within this path by overlay + if reflect.TypeOf(resource) != reflect.TypeOf(overlay) { + patch, err := replaceSubtree(overlay, path) + if err != nil { + return nil, err + } + + appliedPatches = append(appliedPatches, patch) + } + + return applyOverlayForSameTypes(resource, overlay, path) +} + +func checkConditions(resource, overlay interface{}, path string) bool { + + switch typedOverlay := overlay.(type) { + case map[string]interface{}: + typedResource := resource.(map[string]interface{}) + if !checkConditionOnMap(typedResource, typedOverlay) { + return false + } + case []interface{}: + typedResource := resource.([]interface{}) + if !checkConditionOnArray(typedResource, typedOverlay) { + return false + } + case string, float64, int64, bool: + + default: + return false + } + return true +} + +func checkConditionOnMap(resourceMap, overlayMap map[string]interface{}) bool { + // _ := getAnchorsFromMap(overlayMap) + + return false +} + +func checkConditionOnArray(resource, overlay []interface{}) bool { + return false +} diff --git a/examples/demo/security_context/nginx.yaml b/test/SecurityContext/nginx.yaml similarity index 100% rename from examples/demo/security_context/nginx.yaml rename to test/SecurityContext/nginx.yaml diff --git a/examples/demo/security_context/policy.yaml b/test/SecurityContext/policy.yaml similarity index 100% rename from examples/demo/security_context/policy.yaml rename to test/SecurityContext/policy.yaml