From 560aab2e694fd6a6b972e7d409905789a51b0a88 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Fri, 19 Jan 2024 01:23:52 +0200 Subject: [PATCH] fix PSA chainsaw tests (#9389) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mariam Fahmy Co-authored-by: Charles-Edouard Brétéché --- .../test-exclusion-capabilities/bad-pod.yaml | 10 --------- .../test-exclusion-hostprocesses/bad-pod.yaml | 5 +++-- .../bad-pod.yaml | 22 +++++++++++++++++++ .../chainsaw-test.yaml | 5 +++++ .../bad-pod.yaml | 11 +++++----- .../excluded-pod.yaml | 19 +--------------- .../policy.yaml | 10 --------- .../bad-pod.yaml | 8 +++---- .../psa/test-exclusion-seccomp/bad-pod.yaml | 6 ++--- .../test-exclusion-seccomp/excluded-pod.yaml | 4 ++-- .../psa/test-exclusion-seccomp/policy.yaml | 13 +---------- .../test-exclusion-volume-types/bad-pod.yaml | 8 ++++--- 12 files changed, 52 insertions(+), 69 deletions(-) create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/bad-pod.yaml index 8b924f199a..c767bfa50e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/bad-pod.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/bad-pod.yaml @@ -24,13 +24,3 @@ spec: capabilities: add: - baz - ephemeralContainers: - - name: nginx3 - image: nginx - args: - - sleep - - 1d - securityContext: - capabilities: - add: - - foo diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml index 597cc62e4a..9c6e5f0069 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml @@ -3,12 +3,13 @@ kind: Pod metadata: name: bad-pod spec: + hostNetwork: true securityContext: windowsOptions: hostProcess: true containers: - - name: nginx1 - image: nginx + - name: busybox + image: busybox args: - sleep - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/bad-pod.yaml new file mode 100644 index 0000000000..cd82dbe5ef --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/bad-pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + containers: + - name: busybox + image: busybox + args: + - sleep + - 1d + securityContext: + privileged: true + initContainers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: false diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml index 9f98299f5b..57c2acd526 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml @@ -13,6 +13,11 @@ spec: file: policy-assert.yaml - name: step-02 try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml - apply: file: excluded-pod.yaml - apply: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml index abaf76e009..9987a3d669 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml @@ -5,23 +5,23 @@ metadata: spec: securityContext: seccompProfile: - type: foo + type: Unconfined containers: - - name: nginx1 - image: nginx + - name: busybox + image: busybox args: - sleep - 1d securityContext: seccompProfile: - type: baz + type: Unconfined runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: - ALL initContainers: - - name: nginx2 + - name: nginx image: nginx args: - sleep @@ -29,6 +29,7 @@ spec: securityContext: seccompProfile: type: Localhost + localhostProfile: profiles/audit.json runAsNonRoot: true allowPrivilegeEscalation: false capabilities: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml index 38b7005b67..cefa0cf0ef 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml @@ -3,25 +3,8 @@ kind: Pod metadata: name: excluded-pod spec: - securityContext: - seccompProfile: - type: Unconfined containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: Unconfined - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 + - name: nginx image: nginx args: - sleep diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml index f13dd4c9a7..83b50941e7 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml @@ -17,19 +17,9 @@ spec: level: restricted version: latest exclude: - - controlName: "Seccomp" - restrictedField: "spec.securityContext.seccompProfile.type" - values: - - "Unconfined" - controlName: "Seccomp" images: - nginx restrictedField: "spec.containers[*].securityContext.seccompProfile.type" values: - "Unconfined" - - controlName: "Seccomp" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type" - values: - - "Unconfined" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml index cb3b8e9cba..bbdaa100e9 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml @@ -4,21 +4,21 @@ metadata: name: bad-pod spec: containers: - - name: nginx1 - image: nginx + - name: busybox + image: busybox args: - sleep - 1d securityContext: seccompProfile: type: RuntimeDefault - runAsNonRoot: true + runAsNonRoot: false allowPrivilegeEscalation: false capabilities: drop: - ALL initContainers: - - name: nginx2 + - name: nginx image: nginx args: - sleep diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/bad-pod.yaml index 1d082f4bf2..d6a8158e5b 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/bad-pod.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/bad-pod.yaml @@ -5,7 +5,7 @@ metadata: spec: securityContext: seccompProfile: - type: foo + type: Unconfined containers: - name: nginx1 image: nginx @@ -14,7 +14,7 @@ spec: - 1d securityContext: seccompProfile: - type: baz + type: Unconfined initContainers: - name: nginx2 image: nginx @@ -23,4 +23,4 @@ spec: - 1d securityContext: seccompProfile: - type: Localhost + type: Unconfined diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml index b0d349eb6a..f5ffeb5d48 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml @@ -14,7 +14,7 @@ spec: - 1d securityContext: seccompProfile: - type: Unconfined + type: RuntimeDefault initContainers: - name: nginx2 image: nginx @@ -23,4 +23,4 @@ spec: - 1d securityContext: seccompProfile: - type: Unconfined + type: RuntimeDefault diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml index 77a97aaa6f..3db929c14d 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml @@ -21,15 +21,4 @@ spec: restrictedField: "spec.securityContext.seccompProfile.type" values: - "Unconfined" - - controlName: "Seccomp" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.seccompProfile.type" - values: - - "Unconfined" - - controlName: "Seccomp" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type" - values: - - "Unconfined" + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/bad-pod.yaml index 97d666f55a..220a90b26a 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/bad-pod.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/bad-pod.yaml @@ -4,9 +4,10 @@ metadata: name: bad-pod spec: volumes: - - name: flex - flexVolume: - driver: /var/lib2 + - name: udev + gcePersistentDisk: + pdName: gke-pv + fsType: ext4 containers: - name: nginx image: nginx @@ -16,6 +17,7 @@ spec: securityContext: seccompProfile: type: Localhost + localhostProfile: profiles/audit.json runAsNonRoot: true allowPrivilegeEscalation: false capabilities: