mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

fix PSA chainsaw tests (#9389)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-01-19 01:23:52 +02:00 committed by GitHub
parent eba5c63c8e
commit 560aab2e69
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 52 additions and 69 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/bad-pod.yaml
View file

@ -24,13 +24,3 @@ spec:
capabilities:
add:
- baz
ephemeralContainers:
- name: nginx3
image: nginx
args:
- sleep
- 1d
securityContext:
capabilities:
add:
- foo

5
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml
View file

@ -3,12 +3,13 @@ kind: Pod
metadata:
name: bad-pod
spec:
hostNetwork: true
securityContext:
windowsOptions:
hostProcess: true
containers:
- name: nginx1
image: nginx
- name: busybox
image: busybox
args:
- sleep
- 1d

22
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/bad-pod.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
spec:
containers:
- name: busybox
image: busybox
args:
- sleep
- 1d
securityContext:
privileged: true
initContainers:
- name: nginx
image: nginx
args:
- sleep
- 1d
securityContext:
windowsOptions:
hostProcess: false

5
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml
View file

@ -13,6 +13,11 @@ spec:
file: policy-assert.yaml
- name: step-02
try:
- apply:
expect:
- check:
($error != null): true
file: bad-pod.yaml
- apply:
file: excluded-pod.yaml
- apply:

11
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml
View file

@ -5,23 +5,23 @@ metadata:
spec:
securityContext:
seccompProfile:
type: foo
type: Unconfined
containers:
- name: nginx1
image: nginx
- name: busybox
image: busybox
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: baz
type: Unconfined
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- name: nginx2
- name: nginx
image: nginx
args:
- sleep
@ -29,6 +29,7 @@ spec:
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:

19
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml
View file

@ -3,25 +3,8 @@ kind: Pod
metadata:
name: excluded-pod
spec:
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: nginx1
image: nginx
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: Unconfined
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- name: nginx2
- name: nginx
image: nginx
args:
- sleep

10
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml
View file

@ -17,19 +17,9 @@ spec:
level: restricted
version: latest
exclude:
- controlName: "Seccomp"
restrictedField: "spec.securityContext.seccompProfile.type"
values:
- "Unconfined"
- controlName: "Seccomp"
images:
- nginx
restrictedField: "spec.containers[*].securityContext.seccompProfile.type"
values:
- "Unconfined"
- controlName: "Seccomp"
images:
- nginx
restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type"
values:
- "Unconfined"

8
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml
View file

@ -4,21 +4,21 @@ metadata:
name: bad-pod
spec:
containers:
- name: nginx1
image: nginx
- name: busybox
image: busybox
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsNonRoot: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- name: nginx2
- name: nginx
image: nginx
args:
- sleep

6
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/bad-pod.yaml
View file

@ -5,7 +5,7 @@ metadata:
spec:
securityContext:
seccompProfile:
type: foo
type: Unconfined
containers:
- name: nginx1
image: nginx
@ -14,7 +14,7 @@ spec:
- 1d
securityContext:
seccompProfile:
type: baz
type: Unconfined
initContainers:
- name: nginx2
image: nginx
@ -23,4 +23,4 @@ spec:
- 1d
securityContext:
seccompProfile:
type: Localhost
type: Unconfined

4
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml
View file

@ -14,7 +14,7 @@ spec:
- 1d
securityContext:
seccompProfile:
type: Unconfined
type: RuntimeDefault
initContainers:
- name: nginx2
image: nginx
@ -23,4 +23,4 @@ spec:
- 1d
securityContext:
seccompProfile:
type: Unconfined
type: RuntimeDefault

13
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml
View file

@ -21,15 +21,4 @@ spec:
restrictedField: "spec.securityContext.seccompProfile.type"
values:
- "Unconfined"
- controlName: "Seccomp"
images:
- nginx
restrictedField: "spec.containers[*].securityContext.seccompProfile.type"
values:
- "Unconfined"
- controlName: "Seccomp"
images:
- nginx
restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type"
values:
- "Unconfined"

8
test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/bad-pod.yaml
View file

@ -4,9 +4,10 @@ metadata:
name: bad-pod
spec:
volumes:
- name: flex
flexVolume:
driver: /var/lib2
- name: udev
gcePersistentDisk:
pdName: gke-pv
fsType: ext4
containers:
- name: nginx
image: nginx
@ -16,6 +17,7 @@ spec:
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities: