diff --git a/examples/demo/container_security_context/nginx.yaml b/examples/demo/container_security_context/nginx.yaml new file mode 100755 index 0000000000..3f395ff407 --- /dev/null +++ b/examples/demo/container_security_context/nginx.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: psp-demo-unprivileged + labels: + app.type: prod +spec: + replicas: 1 + selector: + matchLabels: + app: psp + template: + metadata: + labels: + app: psp + spec: + containers: + - name: sec-ctx-unprivileged + image: nginxinc/nginx-unprivileged + securityContext: + runAsNonRoot: true + diff --git a/examples/demo/container_security_context/policy.yaml b/examples/demo/container_security_context/policy.yaml new file mode 100755 index 0000000000..0dac2ddbe0 --- /dev/null +++ b/examples/demo/container_security_context/policy.yaml @@ -0,0 +1,25 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: container-security-context +spec: + rules: + - name: set-userID + resource: + kinds: + - Deployment + selector : + matchLabels: + app.type: prod + validate: + message: "validate container security contexts" + pattern: + spec: + template: + spec: + containers: + securityContext: + # privileged: false + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + runAsNonRoot: true \ No newline at end of file diff --git a/examples/demo/pod_security_context/policy.yaml b/examples/demo/pod_security_context/policy.yaml new file mode 100755 index 0000000000..5a8408f1d2 --- /dev/null +++ b/examples/demo/pod_security_context/policy.yaml @@ -0,0 +1,24 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: pod-security-context +spec: + rules: + - name: set-userID + resource: + kinds: + - Deployment + selector : + matchLabels: + app.type: prod + validate: + message: "secure pod" + pattern: + spec: + template: + spec: + hostNetwork: false + hostIPC: false + hostPID: false + securityContext: + runAsNonRoot: true \ No newline at end of file diff --git a/pkg/engine/overlay_new.go b/pkg/engine/overlay_new.go new file mode 100755 index 0000000000..8f807212f1 --- /dev/null +++ b/pkg/engine/overlay_new.go @@ -0,0 +1,70 @@ +package engine + +import ( + "reflect" +) + +// func processoverlay(rule kubepolicy.Rule, rawResource []byte, gvk metav1.GroupVersionKind) ([][]byte, error) { + +// var resource interface{} +// var appliedPatches [][]byte +// err := json.Unmarshal(rawResource, &resource) +// if err != nil { +// return nil, err +// } + +// patches, err := mutateResourceWithOverlay(resource, *rule.Mutation.Overlay) +// if err != nil { +// return nil, err +// } +// appliedPatches = append(appliedPatches, patches...) + +// return appliedPatches, err +// } + +func applyoverlay(resource, overlay interface{}, path string) ([][]byte, error) { + var appliedPatches [][]byte + // resource item exists but has different type - replace + // all subtree within this path by overlay + if reflect.TypeOf(resource) != reflect.TypeOf(overlay) { + patch, err := replaceSubtree(overlay, path) + if err != nil { + return nil, err + } + + appliedPatches = append(appliedPatches, patch) + } + + return applyOverlayForSameTypes(resource, overlay, path) +} + +func checkConditions(resource, overlay interface{}, path string) bool { + + switch typedOverlay := overlay.(type) { + case map[string]interface{}: + typedResource := resource.(map[string]interface{}) + if !checkConditionOnMap(typedResource, typedOverlay) { + return false + } + case []interface{}: + typedResource := resource.([]interface{}) + if !checkConditionOnArray(typedResource, typedOverlay) { + return false + } + case string, float64, int64, bool: + + default: + return false + } + return true +} + +func checkConditionOnMap(resourceMap, overlayMap map[string]interface{}) bool { + // _ := getAnchorsFromMap(overlayMap) + + return false +} + +func checkConditionOnArray(resource, overlay []interface{}) bool { + return false +}