add policy_validate_disallow_node_port.yaml

examples/best_practices/README.md

@@ -8,7 +8,7 @@
 | Disallow use of host filesystem                |  [policy_validate_host_path.yaml](policy_validate_host_path.yaml)                                                                                            |
 | Disallow hostPID and hostIPC                   |  [policy_validate_hostpid_hosipc.yaml](policy_validate_hostpid_hosipc.yaml)                                                                     |
 | Require read only root filesystem              | [policy_validate_not_readonly_rootfilesystem.yaml](policy_validate_not_readonly_rootfilesystem.yaml)                                                                      |
-| Disallow node ports                            |                                                                                                                  |
+| Disallow node ports                            | [policy_validate_disallow_node_port.yaml](policy_validate_disallow_node_port.yaml)                                                                                                                 |
 | Allow trusted registries                       | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml)                                                                               |
 | Require resource requests and limits           | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml)                                                                                     |
 | Require pod liveness and readiness probes      | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml)                                                                                           |

examples/best_practices/policy_validate_disallow_node_port.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: disallow-node-port
+spec:
+  rules:
+  - name: disallow-node-port
+    exclude:
+      resources:
+        namespaces: 
+        - kube-system
+    match:
+      resources:
+        kinds:
+        - Service
+    validate:
+      message: "Disallow service of type NodePort"
+      pattern: 
+        spec:
+          type: "!NodePort"
+

examples/best_practices/resources/resource_validate_disallow_node_port.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+spec:
+  ports:
+  - name: http
+    nodePort: 31080
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  type: NodePort

pkg/testrunner/testrunner_test.go

@@ -103,3 +103,7 @@ func Test_validate_not_readonly_rootfilesystem(t *testing.T) {
 // func Test_validate_namespace_quota(t *testing.T) {
 // 	testScenario(t, "test/scenarios/test/scenario_validate_namespace_quota.yaml")
 // }
+
+func Test_validate_disallow_node_port(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_disallow_node_port.yaml")
+}

test/scenarios/test/scenario_validate_disallow_node_port.yaml

@@ -0,0 +1,19 @@
+
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_disallow_node_port.yaml
+  resource: examples/best_practices/resources/resource_validate_disallow_node_port.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: disallow-node-port
+      resource:
+        kind: Service
+        apiVersion: v1
+        namespace: ''
+        name: "my-service"
+      rules:
+        - name: disallow-node-port
+          type: Validation
+          message: Validation rule 'disallow-node-port' failed at '/spec/type/' for resource Service//my-service. Disallow service of type NodePort
+          success: false