Merge branch 'best_practice_policies' of github.com:nirmata/kyverno into best_practice_policies

2024-12-14 11:57:48 +00:00 · 2019-10-10 12:50:24 -07:00 · 2019-10-10 12:50:24 -07:00 · 66ae7367ba
commit 66ae7367ba
parent ed8f0da4f9 300665b22b
7 changed files with 57 additions and 21 deletions
--- a/examples/best_practices/README.md
+++ b/examples/best_practices/README.md
@ -3,6 +3,7 @@
 | Best practice                                  | Policy                             |             scenario|
 |------------------------------------------------|------------------------------------|---------------------|
 | Run as non-root user                           | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml)                  |     best_practices            |
+| Disallow automount api credentials                           | []()                  |     best_practices            |
 | Disallow privileged and privilege escalation   | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml)             |      best_practices            |
 | Disallow use of host networking and ports      |  [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml)             |        best_practices            |
 | Disallow use of host filesystem                |  [policy_validate_host_path.yaml](policy_validate_host_path.yaml)                                                                                            |
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -68,8 +68,8 @@ func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml")
 }

-func Test_mutate_pod_disable_automoutingapicred_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml")
+func Test_validate_disallow_automoutingapicred_pass(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml")
 }

 func Test_validate_disallow_default_namespace(t *testing.T) {
--- a/samples/README.md
+++ b/samples/README.md
@ -19,6 +19,13 @@ By default, processes in a container run as a root user (uid 0). To prevent comp
 * [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)


+## Disallow automounte API credentials
+
+One can access the API from inside a pod using automatically mounted service account credentials by default. To restrict access, opt out of automounting API credentials for any pod by setting `automountServiceAccountToken` to `false`.
+
+***Policy YAML***: [disallow_automountingapicred.yaml](best_practices/disallow_automountingapicred.yaml) 
+
+
 ## Disallow use of default namespace

 Namespaces are a way to divide cluster resources between multiple users. When multiple users or teams are sharing a single cluster, it is recommended to isolate different workloads and aviod using default namespace.
--- a/samples/best_practices/disallow_automountingapicred.yaml
+++ b/samples/best_practices/disallow_automountingapicred.yaml
@ -0,0 +1,17 @@
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-disallow-automoutingapicred
+spec:
+  rules:
+  - name: disallow-automoutingapicred
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Deny automounting API credentials"
+      pattern:
+        spec:
+          =(serviceAccountName): "*"
+          automountServiceAccountToken: false
--- a/test/manifest/disallow_automountingapicred.yaml
+++ b/test/manifest/disallow_automountingapicred.yaml
@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+spec: 
+  serviceAccountName: default
+  automountServiceAccountToken: false
+  containers:
+  - name: nginx
+    image: nginx
--- a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml
+++ b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml
@ -1,19 +0,0 @@
-# file path relative to project root
-input:
-  policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml
-  resource: examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml
-expected:
-  mutation:
-    patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml
-    policyresponse:
-      policy: mutate-pod-disable-automoutingapicred
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: myapp-pod
-      rules:
-        - name: pod-disable-automoutingapicred
-          type: Mutation
-          message: "succesfully process overlay"
-          success: true
--- a/test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml
+++ b/test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml
@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_automountingapicred.yaml
+  resource: test/manifest/disallow_automountingapicred.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-disallow-automoutingapicred
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: myapp-pod
+      rules:
+        - name: disallow-automoutingapicred
+          type: Validation
+          message: Validation rule 'disallow-automoutingapicred' succesfully validated
+          success: true