From 2243e9e2e7d0edbbbe2545f46e07308ca00c8d35 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 4 Oct 2019 18:15:39 -0700
Subject: [PATCH] best practice: validate container capability

---
 examples/best_practices/README.md             |  3 ++-
 ...olicy_validate_container_capabilities.yaml | 20 +++++++++++++++++++
 ...ource_validate_container_capabilities.yaml | 11 ++++++++++
 pkg/testrunner/testrunner_test.go             |  4 ++++
 ...nario_validate_container_capabilities.yaml | 19 ++++++++++++++++++
 5 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 examples/best_practices/policy_validate_container_capabilities.yaml
 create mode 100644 examples/best_practices/resources/resource_validate_container_capabilities.yaml
 create mode 100644 test/scenarios/test/scenario_validate_container_capabilities.yaml

diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md
index 288da8c1b2..8565ecdde3 100644
--- a/examples/best_practices/README.md
+++ b/examples/best_practices/README.md
@@ -21,4 +21,5 @@
 | Require namespace quotas and limit ranges      | [policy_validate_namespace_quota.yaml](policy_validate_namespace_quota.yaml)                                                                      |
 | Allow an FSGroup that owns the pod's volumes      | [policy_validate_fsgroup.yaml](policy_validate_fsgroup.yaml)                                                                      |
 | Require SELinux level of the container      | [policy_validate_selinux_context.yaml](policy_validate_selinux_context.yaml)                                                                      |
-| Allow default Proc Mount type      | [policy_validate_default_proc_mount.yaml](policy_validate_default_proc_mount.yaml)                                                                      |
\ No newline at end of file
+| Allow default Proc Mount type      | [policy_validate_default_proc_mount.yaml](policy_validate_default_proc_mount.yaml)                                                                      |
+| Allow certain capability to be added      | [policy_validate_container_capabilities.yaml](policy_validate_container_capabilities.yaml)                                                                      |
\ No newline at end of file
diff --git a/examples/best_practices/policy_validate_container_capabilities.yaml b/examples/best_practices/policy_validate_container_capabilities.yaml
new file mode 100644
index 0000000000..de1a8f0b6d
--- /dev/null
+++ b/examples/best_practices/policy_validate_container_capabilities.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-container-capablities
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: validate-container-capablities
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Allow certain capability to be added"
+      pattern:
+        spec:
+          containers:
+          - securityContext:
+              capabilities:
+                add: ["NET_ADMIN"]
diff --git a/examples/best_practices/resources/resource_validate_container_capabilities.yaml b/examples/best_practices/resources/resource_validate_container_capabilities.yaml
new file mode 100644
index 0000000000..881b6126d1
--- /dev/null
+++ b/examples/best_practices/resources/resource_validate_container_capabilities.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: add-capabilities
+spec:
+  containers:
+  - name: add-capabilities
+    image: gcr.io/google-samples/node-hello:1.0
+    securityContext:
+      capabilities:
+        add: ["SYS_TIME"]
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 56d4f6f3ef..62874cc970 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -123,3 +123,7 @@ func Test_validate_selinux_context(t *testing.T) {
 func Test_validate_proc_mount(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_default_proc_mount.yaml")
 }
+
+func Test_validate_container_capabilities(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_container_capabilities.yaml")
+}
diff --git a/test/scenarios/test/scenario_validate_container_capabilities.yaml b/test/scenarios/test/scenario_validate_container_capabilities.yaml
new file mode 100644
index 0000000000..7ee9e4e105
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_container_capabilities.yaml
@@ -0,0 +1,19 @@
+
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_container_capabilities.yaml
+  resource: examples/best_practices/resources/resource_validate_container_capabilities.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-container-capablities
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: add-capabilities
+      rules:
+        - name: validate-container-capablities
+          type: Validation
+          message: "Validation rule 'validate-container-capablities' failed at '/spec/containers/0/securityContext/capabilities/add/0/' for resource Pod//add-capabilities. Allow certain capability to be added"
+          success: false
\ No newline at end of file