From 38bf4d6055a80b032396a8a744b0c9a49aae06ae Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 10 Oct 2019 18:42:54 -0700 Subject: [PATCH] add 'deny-use-of-host-fs' --- pkg/testrunner/testrunner_test.go | 8 ++++++++ samples/README.md | 7 +++++++ .../disallow_host_filesystem.yaml | 17 +++++++++++++++++ test/manifest/disallow_host_filesystem.yaml | 18 ++++++++++++++++++ .../disallow_host_filesystem_pass.yaml | 17 +++++++++++++++++ ...ario_validate_disallow_host_filesystem.yaml | 18 ++++++++++++++++++ ...validate_disallow_host_filesystem_pass.yaml | 18 ++++++++++++++++++ 7 files changed, 103 insertions(+) create mode 100644 samples/best_practices/disallow_host_filesystem.yaml create mode 100644 test/manifest/disallow_host_filesystem.yaml create mode 100644 test/manifest/disallow_host_filesystem_pass.yaml create mode 100644 test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml create mode 100644 test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 6ebddac2e6..ebdaf165c4 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -139,3 +139,11 @@ func Test_require_pod_requests_limits(t *testing.T) { func Test_require_probes(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_probes.yaml") } + +func Test_validate_disallow_host_filesystem_fail(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml") +} + +func Test_validate_disallow_host_filesystem_pass(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml") +} diff --git a/samples/README.md b/samples/README.md index 7b34b05c5a..61b7918b48 100644 --- a/samples/README.md +++ b/samples/README.md @@ -33,6 +33,13 @@ Namespaces are a way to divide cluster resources between multiple users. When mu ***Policy YAML***: [disallow_default_namespace.yaml](best_practices/disallow_default_namespace.yaml) +## Disallow use of host filesystem + +Using the volume of type hostpath can easily lose data when a node crashes. Disable use of hostpath prevent data loss. + +***Policy YAML***: [disallow_host_filesystem.yaml](best_practices/disallow_host_filesystem.yaml) + + ## Disallow `hostNetwork` and `hostPort` Using `hostPort` and `hostNetwork` limits the number of nodes the pod can be scheduled on, as the pod is bound to the host thats its mapped to. diff --git a/samples/best_practices/disallow_host_filesystem.yaml b/samples/best_practices/disallow_host_filesystem.yaml new file mode 100644 index 0000000000..d0e1a2fe34 --- /dev/null +++ b/samples/best_practices/disallow_host_filesystem.yaml @@ -0,0 +1,17 @@ +apiVersion: "kyverno.io/v1alpha1" +kind: "ClusterPolicy" +metadata: + name: "deny-use-of-host-fs" +spec: + rules: + - name: "deny-use-of-host-fs" + match: + resources: + kinds: + - "Pod" + validate: + message: "Host path is not allowed" + pattern: + spec: + volumes: + - X(hostPath): null \ No newline at end of file diff --git a/test/manifest/disallow_host_filesystem.yaml b/test/manifest/disallow_host_filesystem.yaml new file mode 100644 index 0000000000..17fea26480 --- /dev/null +++ b/test/manifest/disallow_host_filesystem.yaml @@ -0,0 +1,18 @@ +apiVersion: "v1" +kind: "Pod" +metadata: + name: "image-with-hostpath" + labels: + app.type: "prod" + namespace: "my-namespace" +spec: + containers: + - name: "image-with-hostpath" + image: "docker.io/nautiker/curl" + volumeMounts: + - name: "var-lib-etcd" + mountPath: "/var/lib" + volumes: + - name: "var-lib-etcd" + hostPath: + path: "/var/lib" \ No newline at end of file diff --git a/test/manifest/disallow_host_filesystem_pass.yaml b/test/manifest/disallow_host_filesystem_pass.yaml new file mode 100644 index 0000000000..8cf7113715 --- /dev/null +++ b/test/manifest/disallow_host_filesystem_pass.yaml @@ -0,0 +1,17 @@ +apiVersion: "v1" +kind: "Pod" +metadata: + name: "image-with-hostpath" + labels: + app.type: "prod" + namespace: "my-namespace" +spec: + containers: + - name: "image-with-hostpath" + image: "docker.io/nautiker/curl" + volumeMounts: + - name: "var-lib-etcd" + mountPath: "/var/lib" + volumes: + - name: "var-lib-etcd" + emptyDir: {} \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml b/test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml new file mode 100644 index 0000000000..b42416e689 --- /dev/null +++ b/test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: samples/best_practices/disallow_host_filesystem.yaml + resource: test/manifest/disallow_host_filesystem.yaml +expected: + validation: + policyresponse: + policy: deny-use-of-host-fs + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: image-with-hostpath + rules: + - name: deny-use-of-host-fs + type: Validation + message: Validation rule 'deny-use-of-host-fs' failed at '/spec/volumes/0/hostPath/' for resource Pod//image-with-hostpath. Host path is not allowed + success: false \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml b/test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml new file mode 100644 index 0000000000..eb567a3f08 --- /dev/null +++ b/test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: samples/best_practices/disallow_host_filesystem.yaml + resource: test/manifest/disallow_host_filesystem_pass.yaml +expected: + validation: + policyresponse: + policy: deny-use-of-host-fs + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: image-with-hostpath + rules: + - name: deny-use-of-host-fs + type: Validation + message: Validation rule 'deny-use-of-host-fs' succesfully validated + success: true \ No newline at end of file