From 1bd8663e4cba5452ce422340a44a210fdbcd98a0 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 4 Oct 2019 17:28:42 -0700
Subject: [PATCH] add selinux best practice

---
 examples/best_practices/README.md             |  3 ++-
 .../policy_validate_selinux_context.yaml      | 20 ++++++++++++++++++
 .../resource_validate_selinux_context.yaml    | 21 +++++++++++++++++++
 pkg/testrunner/testrunner_test.go             |  4 ++++
 .../scenario_validate_selinux_context.yaml    | 19 +++++++++++++++++
 5 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 examples/best_practices/policy_validate_selinux_context.yaml
 create mode 100644 examples/best_practices/resources/resource_validate_selinux_context.yaml
 create mode 100644 test/scenarios/test/scenario_validate_selinux_context.yaml

diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md
index 60be21d275..5f852c0aa6 100644
--- a/examples/best_practices/README.md
+++ b/examples/best_practices/README.md
@@ -19,4 +19,5 @@
 | Prevent mounting of default service account    | [policy_validate_disallow_default_serviceaccount.yaml](policy_validate_disallow_default_serviceaccount.yaml)                                                                      |
 | Require a default network policy               | [policy_validate_default_network_policy.yaml](policy_validate_default_network_policy.yaml)                                                                      |
 | Require namespace quotas and limit ranges      | [policy_validate_namespace_quota.yaml](policy_validate_namespace_quota.yaml)                                                                      |
-| Allocating an FSGroup that owns the pod's volumes      | [policy_validate_fsgroup.yaml](policy_validate_fsgroup.yaml)                                                                      |
+| Require an FSGroup that owns the pod's volumes      | [policy_validate_fsgroup.yaml](policy_validate_fsgroup.yaml)                                                                      |
+| Require the SELinux level of the container      | [policy_validate_selinux_context.yaml](policy_validate_selinux_context.yaml)                                                                      |
\ No newline at end of file
diff --git a/examples/best_practices/policy_validate_selinux_context.yaml b/examples/best_practices/policy_validate_selinux_context.yaml
new file mode 100644
index 0000000000..39ee1bece6
--- /dev/null
+++ b/examples/best_practices/policy_validate_selinux_context.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-selinux-options
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: validate-selinux-options
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "SELinux level should be set to s0:c123,c456"
+      pattern:
+        spec:
+          containers:
+          - securityContext:
+              seLinuxOptions:
+                level: "s0:c123,c456"
diff --git a/examples/best_practices/resources/resource_validate_selinux_context.yaml b/examples/best_practices/resources/resource_validate_selinux_context.yaml
new file mode 100644
index 0000000000..d8ae6c672a
--- /dev/null
+++ b/examples/best_practices/resources/resource_validate_selinux_context.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: busybox-selinux
+  namespace: default
+spec:
+  containers:
+  - image: busybox-selinux
+    name: busybox
+    command:
+      - sleep
+      - "36000"
+    volumeMounts:
+      - name: storage
+        mountPath: /storage
+    securityContext:
+      seLinuxOptions:
+        level: ""
+  volumes:
+    - name: storage
+      emptyDir: {}
\ No newline at end of file
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 745c89beb7..e41db3c445 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -115,3 +115,7 @@ func Test_validate_disallow_default_serviceaccount(t *testing.T) {
 func Test_validate_fsgroup(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_fsgroup.yaml")
 }
+
+func Test_validate_selinux_context(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_selinux_context.yaml")
+}
diff --git a/test/scenarios/test/scenario_validate_selinux_context.yaml b/test/scenarios/test/scenario_validate_selinux_context.yaml
new file mode 100644
index 0000000000..aa729edef4
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_selinux_context.yaml
@@ -0,0 +1,19 @@
+
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_selinux_context.yaml
+  resource: examples/best_practices/resources/resource_validate_selinux_context.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-selinux-options
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: default
+        name: busybox-selinux
+      rules:
+        - name: validate-selinux-options
+          type: Validation
+          message: "Validation rule 'validate-selinux-options' failed at '/spec/containers/0/securityContext/seLinuxOptions/level/' for resource Pod/default/busybox-selinux. SELinux level should be set to s0:c123,c456"
+          success: false
\ No newline at end of file