From 3237f3d799fb4fbff1daeb181e055c714741fa3c Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Mon, 9 Sep 2019 18:13:38 -0700 Subject: [PATCH] add policy_validate_not_readonly_rootfilesystem.yaml --- examples/best_practices/README.md | 2 +- ..._validate_not_readonly_rootfilesystem.yaml | 22 +++++++++++++++++++ ..._validate_not_readonly_rootfilesystem.yaml | 10 +++++++++ pkg/testrunner/testrunner_test.go | 4 ++++ .../scenario_validate_hostpid_hostipc.yaml | 4 ++-- ..._validate_not_readonly_rootfilesystem.yaml | 18 +++++++++++++++ 6 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml create mode 100644 examples/best_practices/resources/resource_validate_not_readonly_rootfilesystem.yaml create mode 100644 test/scenarios/test/scenario_validate_not_readonly_rootfilesystem.yaml diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md index 70e1eff0db..d82baf6233 100644 --- a/examples/best_practices/README.md +++ b/examples/best_practices/README.md @@ -7,7 +7,7 @@ | Disallow use of host networking and ports | [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml) | | Disallow use of host filesystem | [policy_validate_host_path.yaml](policy_validate_host_path.yaml) | | Disallow hostPID and hostIPC | [policy_validate_hostPID_hosIPC.yaml](policy_validate_hostPID_hosIPC.yaml) | -| Require read only root filesystem | | +| Require read only root filesystem | [policy_validate_not_readonly_rootfilesystem.yaml](policy_validate_not_readonly_rootfilesystem.yaml) | | Disallow node ports | | | Allow trusted registries | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml) | | Require resource requests and limits | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml) | diff --git a/examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml b/examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml new file mode 100644 index 0000000000..a0085cb014 --- /dev/null +++ b/examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-not-readonly-rootfilesystem +spec: + rules: + - name: validate-not-readonly-rootfilesystem + exclude: + resources: + namespaces: + - kube-system + match: + resources: + kinds: + - Pod + validate: + message: "Container should not have read-only rootfilesystem" + anyPattern: + - spec: + container: + - securityContext: + readOnlyRootFilesystem: false \ No newline at end of file diff --git a/examples/best_practices/resources/resource_validate_not_readonly_rootfilesystem.yaml b/examples/best_practices/resources/resource_validate_not_readonly_rootfilesystem.yaml new file mode 100644 index 0000000000..de406d8ec9 --- /dev/null +++ b/examples/best_practices/resources/resource_validate_not_readonly_rootfilesystem.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: ghost-with-readonly-rootfilesystem +spec: + containers: + - name: ghost + image: ghost + securityContext: + readOnlyRootFilesystem: true \ No newline at end of file diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 6ca11ccf79..3786c640c8 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -95,3 +95,7 @@ func Test_validate_host_network_port(t *testing.T) { func Test_validate_hostPID_hostIPC(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_hostpid_hostipc.yaml") } + +func Test_validate_not_readonly_rootfilesystem(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_not_readonly_rootfilesystem.yaml") +} diff --git a/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml b/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml index f491871168..81ffd13f24 100644 --- a/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml +++ b/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: examples/best_practices/policy_validate_hostPID_hosIPC.yaml - resource: examples/best_practices/resources/resource_validate_hostPID_hostIPC.yaml + policy: examples/best_practices/policy_validate_hostpid_hosipc.yaml + resource: examples/best_practices/resources/resource_validate_hostpid_hostipc.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_not_readonly_rootfilesystem.yaml b/test/scenarios/test/scenario_validate_not_readonly_rootfilesystem.yaml new file mode 100644 index 0000000000..d523092818 --- /dev/null +++ b/test/scenarios/test/scenario_validate_not_readonly_rootfilesystem.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml + resource: examples/best_practices/resources/resource_validate_not_readonly_rootfilesystem.yaml +expected: + validation: + policyresponse: + policy: validate-not-readonly-rootfilesystem + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: "ghost-with-readonly-rootfilesystem" + rules: + - name: validate-not-readonly-rootfilesystem + type: Validation + message: Validation rule 'validate-not-readonly-rootfilesystem' failed to validate patterns defined in anyPattern. Container should not have read-only rootfilesystem; anyPattern[0] failed at path /spec/container/ + success: false \ No newline at end of file