From 3eeba1a32bd203f163809ef7d5b0c59b8912f699 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 9 Sep 2019 17:34:25 -0700
Subject: [PATCH] add policy_validate_hostPID_hosIPC.yaml

---
 examples/best_practices/README.md             |  2 +-
 .../policy_validate_hostPID_hosIPC.yaml       | 21 +++++++++++++++++++
 .../resource_validate_hostPID_hostIPC.yaml    | 10 +++++++++
 pkg/testrunner/testrunner_test.go             |  4 ++++
 .../scenario_validate_hostpid_hostipc.yaml    | 18 ++++++++++++++++
 5 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 examples/best_practices/policy_validate_hostPID_hosIPC.yaml
 create mode 100644 examples/best_practices/resources/resource_validate_hostPID_hostIPC.yaml
 create mode 100644 test/scenarios/test/scenario_validate_hostpid_hostipc.yaml

diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md
index 47b6818447..70e1eff0db 100644
--- a/examples/best_practices/README.md
+++ b/examples/best_practices/README.md
@@ -6,7 +6,7 @@
 | Disallow privileged and privilege escalation   | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml)             |
 | Disallow use of host networking and ports      |  [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml)                                                                            |
 | Disallow use of host filesystem                |  [policy_validate_host_path.yaml](policy_validate_host_path.yaml)                                                                                            |
-| Disallow hostPOD and hostIPC                   |                                                                       |
+| Disallow hostPID and hostIPC                   |  [policy_validate_hostPID_hosIPC.yaml](policy_validate_hostPID_hosIPC.yaml)                                                                     |
 | Require read only root filesystem              |                                                                       |
 | Disallow node ports                            |                                                                                                                  |
 | Allow trusted registries                       | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml)                                                                               |
diff --git a/examples/best_practices/policy_validate_hostPID_hosIPC.yaml b/examples/best_practices/policy_validate_hostPID_hosIPC.yaml
new file mode 100644
index 0000000000..56d572ab54
--- /dev/null
+++ b/examples/best_practices/policy_validate_hostPID_hosIPC.yaml
@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-hostpid-hostipc
+spec:
+  rules:
+  - name: validate-hostpid-hostipc
+    exclude:
+      resources:
+        namespaces: 
+        - kube-system
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Disallow use of host's pid namespace and host's ipc namespace"
+      anyPattern:
+      - spec:
+          hostPID: false
+          hostIPC: false
\ No newline at end of file
diff --git a/examples/best_practices/resources/resource_validate_hostPID_hostIPC.yaml b/examples/best_practices/resources/resource_validate_hostPID_hostIPC.yaml
new file mode 100644
index 0000000000..42c59576f9
--- /dev/null
+++ b/examples/best_practices/resources/resource_validate_hostPID_hostIPC.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-with-hostpid
+spec:
+  hostPID: true
+  hostIPC: false
+  containers:
+  - name: nginx
+    image: nginx
\ No newline at end of file
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 17a42f94b3..6ca11ccf79 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -91,3 +91,7 @@ func Test_validate_host_path(t *testing.T) {
 func Test_validate_host_network_port(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_host_network_port.yaml")
 }
+
+func Test_validate_hostPID_hostIPC(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_hostpid_hostipc.yaml")
+}
diff --git a/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml b/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml
new file mode 100644
index 0000000000..f491871168
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml
@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_hostPID_hosIPC.yaml
+  resource: examples/best_practices/resources/resource_validate_hostPID_hostIPC.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-hostpid-hostipc
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: "nginx-with-hostpid"
+      rules:
+        - name: validate-hostpid-hostipc
+          type: Validation
+          message: Validation rule 'validate-hostpid-hostipc' failed to validate patterns defined in anyPattern. Disallow use of host's pid namespace and host's ipc namespace; anyPattern[0] failed at path /spec/hostIPC/
+          success: false   
\ No newline at end of file