From 6902a2b092b146f538c08108cf1bbbaa837803df Mon Sep 17 00:00:00 2001 From: Gurmannat Sohal <95538438+itsgurmannatsohal@users.noreply.github.com> Date: Tue, 26 Dec 2023 19:58:08 +0530 Subject: [PATCH] Unit tests for Pod Security Admission Integrations (#8585) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: enable field-restricted exclusions using the psa Signed-off-by: Liang Deng <283304489@qq.com> * fix ci error Signed-off-by: Liang Deng <283304489@qq.com> * fix ci error Signed-off-by: Liang Deng <283304489@qq.com> * initial unit tests * Add all remaining unit tests Signed-off-by: Gurmannat Sohal * fine grain unit tests by adding fields and values * add detailed pod level exclusion and related tests * add tests for init & ephemeral containers * add kuttl tests for the new advanced support * add kuttl tests for the new advanced support * add readme for kuttl tests * add replacement in go.mod * resolving CI errors Signed-off-by: Gurmannat Sohal * fix ci errors Signed-off-by: Gurmannat Sohal * fix ci errors Signed-off-by: Gurmannat Sohal * updating pod-security-admissio Signed-off-by: Gurmannat Sohal * resolving null pointer panic Signed-off-by: Gurmannat Sohal * resolved conformance error Signed-off-by: Gurmannat Sohal * chainsaw Signed-off-by: Charles-Edouard Brétéché * chainsaw Signed-off-by: Gurmannat Sohal * remove duplication Signed-off-by: Gurmannat Sohal * fix linting Signed-off-by: Gurmannat Sohal * remove over computation Signed-off-by: Gurmannat Sohal * added field checks, pss skip condition Signed-off-by: Gurmannat Sohal * correcting chainsaw tests Signed-off-by: Gurmannat Sohal * merge branch 'main' into unit-tests Signed-off-by: Gurmannat Sohal * fix builds Signed-off-by: ShutingZhao --------- Signed-off-by: Liang Deng <283304489@qq.com> Signed-off-by: Gurmannat Sohal Signed-off-by: shuting Signed-off-by: Gurmannat Sohal <95538438+itsgurmannatsohal@users.noreply.github.com> Signed-off-by: Charles-Edouard Brétéché Signed-off-by: ShutingZhao Co-authored-by: Liang Deng <283304489@qq.com> Co-authored-by: shuting Co-authored-by: Charles-Edouard Brétéché --- .gitignore | 1 + api/kyverno/v1/common_types.go | 18 + api/kyverno/v1/zz_generated.deepcopy.go | 5 + .../kyverno/charts/crds/templates/crds.yaml | 96 + .../data/crds/kyverno.io_clusterpolicies.yaml | 48 + .../data/crds/kyverno.io_policies.yaml | 48 + config/crds/kyverno.io_clusterpolicies.yaml | 48 + config/crds/kyverno.io_policies.yaml | 48 + config/install-latest-testing.yaml | 96 + docs/user/crd/index.html | 25 + go.mod | 6 +- go.sum | 8 +- pkg/autogen/autogen.go | 13 +- pkg/autogen/rule.go | 11 - .../kyverno/v1/podsecuritystandard.go | 24 +- .../handlers/validation/validate_pss.go | 31 + pkg/pss/evaluate.go | 179 +- pkg/pss/evaluate_test.go | 5969 ++++++++++++++++- .../report-assert.yaml | 5 +- .../psa/test-exclusion-capabilities/README.md | 7 + .../test-exclusion-capabilities/bad-pod.yaml | 36 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 26 + .../test-exclusion-capabilities/good-pod.yaml | 27 + .../policy-assert.yaml | 9 + .../test-exclusion-capabilities/policy.yaml | 31 + .../test-exclusion-host-namespaces/README.md | 7 + .../bad-pod.yaml | 12 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 12 + .../good-pod.yaml | 12 + .../policy-assert.yaml | 9 + .../policy.yaml | 23 + .../psa/test-exclusion-host-ports/README.md | 7 + .../test-exclusion-host-ports/bad-pod.yaml | 23 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 23 + .../test-exclusion-host-ports/good-pod.yaml | 23 + .../policy-assert.yaml | 9 + .../psa/test-exclusion-host-ports/policy.yaml | 32 + .../test-exclusion-hostpath-volume/README.md | 7 + .../chainsaw-test.yaml | 19 + .../excluded-pod.yaml | 15 + .../good-pod.yaml | 11 + .../policy-assert.yaml | 9 + .../policy.yaml | 23 + .../test-exclusion-hostprocesses/README.md | 7 + .../test-exclusion-hostprocesses/bad-pod.yaml | 26 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 27 + .../good-pod.yaml | 26 + .../policy-assert.yaml | 9 + .../test-exclusion-hostprocesses/policy.yaml | 39 + .../README.md | 7 + .../bad-pod.yaml | 31 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 33 + .../good-pod.yaml | 33 + .../policy-assert.yaml | 9 + .../policy.yaml | 31 + .../README.md | 7 + .../chainsaw-test.yaml | 19 + .../excluded-pod.yaml | 21 + .../good-pod.yaml | 22 + .../policy-assert.yaml | 9 + .../policy.yaml | 31 + .../psa/test-exclusion-procmount/README.md | 7 + .../psa/test-exclusion-procmount/bad-pod.yaml | 21 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 21 + .../test-exclusion-procmount/good-pod.yaml | 21 + .../policy-assert.yaml | 9 + .../psa/test-exclusion-procmount/policy.yaml | 31 + .../README.md | 7 + .../bad-pod.yaml | 37 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 37 + .../good-pod.yaml | 35 + .../policy-assert.yaml | 9 + .../policy.yaml | 31 + .../README.md | 7 + .../bad-pod.yaml | 36 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 36 + .../good-pod.yaml | 36 + .../policy-assert.yaml | 9 + .../policy.yaml | 35 + .../README.md | 7 + .../bad-pod.yaml | 35 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 35 + .../good-pod.yaml | 35 + .../policy-assert.yaml | 9 + .../policy.yaml | 29 + .../README.md | 7 + .../bad-pod.yaml | 33 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 33 + .../good-pod.yaml | 33 + .../policy-assert.yaml | 9 + .../policy.yaml | 29 + .../psa/test-exclusion-seccomp/README.md | 7 + .../psa/test-exclusion-seccomp/bad-pod.yaml | 26 + .../test-exclusion-seccomp/chainsaw-test.yaml | 24 + .../test-exclusion-seccomp/excluded-pod.yaml | 26 + .../psa/test-exclusion-seccomp/good-pod.yaml | 23 + .../test-exclusion-seccomp/policy-assert.yaml | 9 + .../psa/test-exclusion-seccomp/policy.yaml | 35 + .../psa/test-exclusion-selinux/README.md | 7 + .../psa/test-exclusion-selinux/bad-pod.yaml | 23 + .../test-exclusion-selinux/chainsaw-test.yaml | 24 + .../test-exclusion-selinux/excluded-pod.yaml | 23 + .../psa/test-exclusion-selinux/good-pod.yaml | 23 + .../test-exclusion-selinux/policy-assert.yaml | 9 + .../psa/test-exclusion-selinux/policy.yaml | 31 + .../psa/test-exclusion-sysctls/README.md | 7 + .../psa/test-exclusion-sysctls/bad-pod.yaml | 14 + .../test-exclusion-sysctls/chainsaw-test.yaml | 24 + .../test-exclusion-sysctls/excluded-pod.yaml | 14 + .../psa/test-exclusion-sysctls/good-pod.yaml | 14 + .../test-exclusion-sysctls/policy-assert.yaml | 9 + .../psa/test-exclusion-sysctls/policy.yaml | 23 + .../psa/test-exclusion-volume-types/README.md | 7 + .../test-exclusion-volume-types/bad-pod.yaml | 23 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 23 + .../test-exclusion-volume-types/good-pod.yaml | 23 + .../policy-assert.yaml | 9 + .../test-exclusion-volume-types/policy.yaml | 23 + .../psa/test-exclusion-capabilities/README.md | 7 + .../test-exclusion-capabilities/bad-pod.yaml | 27 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 26 + .../test-exclusion-capabilities/good-pod.yaml | 26 + .../policy-assert.yaml | 9 + .../test-exclusion-capabilities/policy.yaml | 31 + .../test-exclusion-host-namespaces/README.md | 7 + .../bad-pod.yaml | 13 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 13 + .../good-pod.yaml | 13 + .../policy-assert.yaml | 9 + .../policy.yaml | 23 + .../psa/test-exclusion-host-ports/README.md | 7 + .../test-exclusion-host-ports/bad-pod.yaml | 24 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 24 + .../test-exclusion-host-ports/good-pod.yaml | 24 + .../policy-assert.yaml | 9 + .../psa/test-exclusion-host-ports/policy.yaml | 31 + .../test-exclusion-hostpath-volume/README.md | 7 + .../chainsaw-test.yaml | 19 + .../excluded-pod.yaml | 16 + .../good-pod.yaml | 12 + .../policy-assert.yaml | 9 + .../policy.yaml | 23 + .../test-exclusion-hostprocesses/README.md | 7 + .../test-exclusion-hostprocesses/bad-pod.yaml | 27 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 28 + .../good-pod.yaml | 27 + .../policy-assert.yaml | 9 + .../test-exclusion-hostprocesses/policy.yaml | 39 + .../README.md | 7 + .../bad-pod.yaml | 32 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 34 + .../good-pod.yaml | 34 + .../policy-assert.yaml | 9 + .../policy.yaml | 31 + .../README.md | 7 + .../chainsaw-test.yaml | 19 + .../excluded-pod.yaml | 22 + .../good-pod.yaml | 23 + .../policy-assert.yaml | 9 + .../policy.yaml | 31 + .../psa/test-exclusion-procmount/README.md | 7 + .../psa/test-exclusion-procmount/bad-pod.yaml | 22 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 22 + .../test-exclusion-procmount/good-pod.yaml | 22 + .../policy-assert.yaml | 9 + .../psa/test-exclusion-procmount/policy.yaml | 31 + .../README.md | 7 + .../bad-pod.yaml | 38 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 38 + .../good-pod.yaml | 36 + .../policy-assert.yaml | 9 + .../policy.yaml | 31 + .../README.md | 7 + .../bad-pod.yaml | 37 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 37 + .../good-pod.yaml | 37 + .../policy-assert.yaml | 9 + .../policy.yaml | 35 + .../README.md | 7 + .../bad-pod.yaml | 36 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 36 + .../good-pod.yaml | 36 + .../policy-assert.yaml | 9 + .../policy.yaml | 29 + .../README.md | 7 + .../bad-pod.yaml | 34 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 34 + .../good-pod.yaml | 34 + .../policy-assert.yaml | 9 + .../policy.yaml | 29 + .../psa/test-exclusion-seccomp/README.md | 7 + .../psa/test-exclusion-seccomp/bad-pod.yaml | 27 + .../test-exclusion-seccomp/chainsaw-test.yaml | 24 + .../test-exclusion-seccomp/excluded-pod.yaml | 27 + .../psa/test-exclusion-seccomp/good-pod.yaml | 24 + .../test-exclusion-seccomp/policy-assert.yaml | 9 + .../psa/test-exclusion-seccomp/policy.yaml | 35 + .../psa/test-exclusion-selinux/README.md | 7 + .../psa/test-exclusion-selinux/bad-pod.yaml | 24 + .../test-exclusion-selinux/chainsaw-test.yaml | 24 + .../test-exclusion-selinux/excluded-pod.yaml | 24 + .../psa/test-exclusion-selinux/good-pod.yaml | 24 + .../test-exclusion-selinux/policy-assert.yaml | 9 + .../psa/test-exclusion-selinux/policy.yaml | 31 + .../psa/test-exclusion-sysctls/README.md | 7 + .../psa/test-exclusion-sysctls/bad-pod.yaml | 15 + .../test-exclusion-sysctls/chainsaw-test.yaml | 24 + .../test-exclusion-sysctls/excluded-pod.yaml | 15 + .../psa/test-exclusion-sysctls/good-pod.yaml | 15 + .../test-exclusion-sysctls/policy-assert.yaml | 9 + .../psa/test-exclusion-sysctls/policy.yaml | 23 + .../psa/test-exclusion-volume-types/README.md | 7 + .../test-exclusion-volume-types/bad-pod.yaml | 24 + .../chainsaw-test.yaml | 24 + .../excluded-pod.yaml | 24 + .../test-exclusion-volume-types/good-pod.yaml | 24 + .../policy-assert.yaml | 9 + .../test-exclusion-volume-types/policy.yaml | 23 + 239 files changed, 11233 insertions(+), 48 deletions(-) create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/README.md create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/bad-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy.yaml diff --git a/.gitignore b/.gitignore index 7ec553c4ea..9ffbc0e42c 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ cmd/background-controller/background-controller .dist .manifest kyverno.tar.gz +vendor/ diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index b68709c5f9..d4ec8deaa5 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -429,6 +429,24 @@ type PodSecurityStandard struct { // Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. // +optional Images []string `json:"images,omitempty" yaml:"images,omitempty"` + + // RestrictedField selects the field for the given Pod Security Standard control. + // When not set, all restricted fields for the control are selected. + // +optional + RestrictedField string `json:"restrictedField,omitempty" yaml:"restrictedField,omitempty"` + + // Values defines the allowed values that can be excluded. + // +optional + Values []string `json:"values,omitempty" yaml:"values,omitempty"` +} + +// Validate checks if the values in the PodSecurityStandard struct are valid. +func (pss *PodSecurityStandard) Validate(exclude PodSecurityStandard) error { + if (exclude.RestrictedField != "" && len(exclude.Values) == 0) || (exclude.RestrictedField == "" && len(exclude.Values) != 0) { + return fmt.Errorf("Values[] and RestrictedField must be set together") + } + + return nil } // CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 68abf39380..df925f686f 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -992,6 +992,11 @@ func (in *PodSecurityStandard) DeepCopyInto(out *PodSecurityStandard) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Values != nil { + in, out := &in.Values, &out.Values + *out = make([]string, len(*in)) + copy(*out, *in) + } return } diff --git a/charts/kyverno/charts/crds/templates/crds.yaml b/charts/kyverno/charts/crds/templates/crds.yaml index 6343ea571c..258b710b5f 100644 --- a/charts/kyverno/charts/crds/templates/crds.yaml +++ b/charts/kyverno/charts/crds/templates/crds.yaml @@ -13424,6 +13424,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -17919,6 +17931,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -22180,6 +22204,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -26649,6 +26685,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -31184,6 +31232,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -35680,6 +35740,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -39942,6 +40014,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -44411,6 +44495,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 5b40156c30..5b7de6c526 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -3473,6 +3473,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -7968,6 +7980,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -12229,6 +12253,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -16698,6 +16734,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index eb2cd871ab..794b75d934 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -3474,6 +3474,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -7970,6 +7982,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -12232,6 +12256,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -16701,6 +16737,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 5b40156c30..5b7de6c526 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -3473,6 +3473,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -7968,6 +7980,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -12229,6 +12253,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -16698,6 +16734,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index eb2cd871ab..794b75d934 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -3474,6 +3474,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -7970,6 +7982,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -12232,6 +12256,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -16701,6 +16737,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 750cb9c1ee..55783275e1 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -13643,6 +13643,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -18138,6 +18150,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -22399,6 +22423,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -26868,6 +26904,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -31405,6 +31453,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -35901,6 +35961,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -40163,6 +40235,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for the + control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object @@ -44632,6 +44716,18 @@ spec: items: type: string type: array + restrictedField: + description: RestrictedField selects the field + for the given Pod Security Standard control. + When not set, all restricted fields for + the control are selected. + type: string + values: + description: Values defines the allowed values + that can be excluded. + items: + type: string + type: array required: - controlName type: object diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 0dbecaf8dd..210d7f0249 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -2848,6 +2848,31 @@ Empty list matches no containers, PSS checks are applied at the pod level only. Wildcards (‘*’ and ‘?’) are allowed. See: https://kubernetes.io/docs/concepts/containers/images.

+ + +restrictedField
+ +string + + + +(Optional) +

RestrictedField selects the field for the given Pod Security Standard control. +When not set, all restricted fields for the control are selected.

+ + + + +values
+ +[]string + + + +(Optional) +

Values defines the allowed values that can be excluded.

+ +
diff --git a/go.mod b/go.mod index 97f113ad96..3762702aad 100644 --- a/go.mod +++ b/go.mod @@ -381,4 +381,8 @@ require ( sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect ) -replace sigs.k8s.io/kubectl-validate => github.com/kyverno/kubectl-validate v0.0.0-20231116142848-59e4e6124b70 +replace ( + github.com/sigstore/cosign/v2 => github.com/kyverno/cosign/v2 v2.0.0-20231109090756-51fd41540436 + k8s.io/pod-security-admission v0.29.0 => github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2 + sigs.k8s.io/kubectl-validate => github.com/kyverno/kubectl-validate v0.0.0-20231116142848-59e4e6124b70 +) diff --git a/go.sum b/go.sum index d45d1a2e2d..c5cf48a26e 100644 --- a/go.sum +++ b/go.sum @@ -149,6 +149,8 @@ github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrU github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g= +github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2 h1:fU6MSdWY9ny1k+lWzCav7bBp/Is/uK/PAuLSn8SrVrs= +github.com/YTGhost/pod-security-admission v0.0.0-20231116105308-8b1daa0177f2/go.mod h1:rBAI9Kn+bV1UGQqDqZSgFo/+fm8S/3fFOsU42Z8SVkc= github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= @@ -945,6 +947,8 @@ github.com/kunwardeep/paralleltest v1.0.2/go.mod h1:ZPqNm1fVHPllh5LPVujzbVz1JN2G github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/kyoh86/exportloopref v0.1.8/go.mod h1:1tUcJeiioIs7VWe5gcOObrux3lb66+sBqGZrRkMwPgg= +github.com/kyverno/cosign/v2 v2.0.0-20231109090756-51fd41540436 h1:PvxtUeaEvHgnVwnksc2LDBjWM7wsyIzZhZzS+RW+BEE= +github.com/kyverno/cosign/v2 v2.0.0-20231109090756-51fd41540436/go.mod h1:QuAzDDmES0ROCdTPf97GzjidUmn5lpQq84ESET3NAi8= github.com/kyverno/go-jmespath v0.4.1-0.20231124160150-95e59c162877 h1:XOLJNGX/q6MVpI8p8MKvk6jGBMvO4CrdwrizMMSsaRU= github.com/kyverno/go-jmespath v0.4.1-0.20231124160150-95e59c162877/go.mod h1:yzDHaKovQy16rjN4kFnjF+IdNoN4p1ndw+va6+B8zUU= github.com/kyverno/go-jmespath/internal/testify v1.5.2-0.20230630133209-945021c749d9 h1:lL311dF3a2aeNibJj8v+uhFU3XkvRHZmCtAdSPOrQYY= @@ -1311,8 +1315,6 @@ github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFR github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sigstore/cosign/v2 v2.2.2 h1:V1uE1/QnKGfj77vuqlEGBg6O2ZJqOrWkLwjTC21Vxw0= -github.com/sigstore/cosign/v2 v2.2.2/go.mod h1:bNmX0qyby7sgcqY9oY/jy5m+XJ3N3LtpOsNfO+A1CGo= github.com/sigstore/fulcio v1.4.3 h1:9JcUCZjjVhRF9fmhVuz6i1RyhCc/EGCD7MOl+iqCJLQ= github.com/sigstore/fulcio v1.4.3/go.mod h1:BQPWo7cfxmJwgaHlphUHUpFkp5+YxeJes82oo39m5og= github.com/sigstore/k8s-manifest-sigstore v0.5.1 h1:jGYuk6LXJm/GzZB/RR2RZ23T84BCP/j96jmhWRV2Q+g= @@ -2226,8 +2228,6 @@ k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e h1:snPmy96t93RredGRjKfMFt k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/kubectl v0.28.4 h1:gWpUXW/T7aFne+rchYeHkyB8eVDl5UZce8G4X//kjUQ= k8s.io/kubectl v0.28.4/go.mod h1:CKOccVx3l+3MmDbkXtIUtibq93nN2hkDR99XDCn7c/c= -k8s.io/pod-security-admission v0.29.0 h1:tY/ldtkbBCulMYVSWg6ZDLlgDYDWy6rLj8e/AgmwSj4= -k8s.io/pod-security-admission v0.29.0/go.mod h1:bGIeKCzU0Q0Nl185NHmqcMCiOjTcqTrBfAQaeupwq0E= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210111153108-fddb29f9d009/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20231127182322-b307cd553661 h1:FepOBzJ0GXm8t0su67ln2wAZjbQ6RxQGZDnzuLcrUTI= diff --git a/pkg/autogen/autogen.go b/pkg/autogen/autogen.go index a8c09c3e42..3fc0199ef3 100644 --- a/pkg/autogen/autogen.go +++ b/pkg/autogen/autogen.go @@ -193,16 +193,9 @@ func convertRule(rule kyvernoRule, kind string) (*kyvernov1.Rule, error) { if bytes, err := json.Marshal(rule); err != nil { return nil, err } else { - if rule.Validation != nil && rule.Validation.PodSecurity != nil { - bytes = updateRestrictedFields(bytes, kind) - if err := json.Unmarshal(bytes, &rule); err != nil { - return nil, err - } - } else { - bytes = updateGenRuleByte(bytes, kind) - if err := json.Unmarshal(bytes, &rule); err != nil { - return nil, err - } + bytes = updateGenRuleByte(bytes, kind) + if err := json.Unmarshal(bytes, &rule); err != nil { + return nil, err } // CEL variables are object, oldObject, request, params and authorizer. diff --git a/pkg/autogen/rule.go b/pkg/autogen/rule.go index efba309405..3b01ab1ce4 100644 --- a/pkg/autogen/rule.go +++ b/pkg/autogen/rule.go @@ -321,17 +321,6 @@ func updateGenRuleByte(pbyte []byte, kind string) (obj []byte) { return obj } -func updateRestrictedFields(pbyte []byte, kind string) (obj []byte) { - if kind == "Pod" { - obj = []byte(strings.ReplaceAll(string(pbyte), `"restrictedField":"spec`, `"restrictedField":"spec.template.spec`)) - } - if kind == "Cronjob" { - obj = []byte(strings.ReplaceAll(string(pbyte), `"restrictedField":"spec`, `"restrictedField":"spec.jobTemplate.spec.template.spec`)) - } - obj = []byte(strings.ReplaceAll(string(obj), "metadata", "spec.template.metadata")) - return obj -} - func updateCELFields(pbyte []byte, kind string) (obj []byte) { if kind == "Pod" { obj = []byte(strings.ReplaceAll(string(pbyte), "object.spec", "object.spec.template.spec")) diff --git a/pkg/client/applyconfigurations/kyverno/v1/podsecuritystandard.go b/pkg/client/applyconfigurations/kyverno/v1/podsecuritystandard.go index 07a23f37b1..68ad8e0a2f 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/podsecuritystandard.go +++ b/pkg/client/applyconfigurations/kyverno/v1/podsecuritystandard.go @@ -21,8 +21,10 @@ package v1 // PodSecurityStandardApplyConfiguration represents an declarative configuration of the PodSecurityStandard type for use // with apply. type PodSecurityStandardApplyConfiguration struct { - ControlName *string `json:"controlName,omitempty"` - Images []string `json:"images,omitempty"` + ControlName *string `json:"controlName,omitempty"` + Images []string `json:"images,omitempty"` + RestrictedField *string `json:"restrictedField,omitempty"` + Values []string `json:"values,omitempty"` } // PodSecurityStandardApplyConfiguration constructs an declarative configuration of the PodSecurityStandard type for use with @@ -48,3 +50,21 @@ func (b *PodSecurityStandardApplyConfiguration) WithImages(values ...string) *Po } return b } + +// WithRestrictedField sets the RestrictedField field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RestrictedField field is set to the value of the last call. +func (b *PodSecurityStandardApplyConfiguration) WithRestrictedField(value string) *PodSecurityStandardApplyConfiguration { + b.RestrictedField = &value + return b +} + +// WithValues adds the given value to the Values field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Values field. +func (b *PodSecurityStandardApplyConfiguration) WithValues(values ...string) *PodSecurityStandardApplyConfiguration { + for i := range values { + b.Values = append(b.Values, values[i]) + } + return b +} diff --git a/pkg/engine/handlers/validation/validate_pss.go b/pkg/engine/handlers/validation/validate_pss.go index 9617067681..f9e9a01c69 100644 --- a/pkg/engine/handlers/validation/validate_pss.go +++ b/pkg/engine/handlers/validation/validate_pss.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "strings" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" @@ -12,6 +13,7 @@ import ( "github.com/kyverno/kyverno/pkg/engine/handlers" engineutils "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/kyverno/kyverno/pkg/pss" + pssutils "github.com/kyverno/kyverno/pkg/pss/utils" appsv1 "k8s.io/api/apps/v1" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" @@ -35,6 +37,11 @@ func (h validatePssHandler) Process( _ engineapi.EngineContextLoader, exceptions []kyvernov2beta1.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { + if engineutils.IsDeleteRequest(policyContext) { + logger.V(3).Info("skipping PSS validation on deleted resource") + return resource, nil + } + // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) if exception != nil { @@ -67,6 +74,7 @@ func (h validatePssHandler) Process( if err != nil { return resource, handlers.WithError(rule, engineapi.Validation, "failed to parse pod security api version", err) } + pssChecks = convertChecks(pssChecks, resource.GetKind()) podSecurityChecks := engineapi.PodSecurityChecks{ Level: podSecurity.Level, Version: podSecurity.Version, @@ -85,6 +93,29 @@ func (h validatePssHandler) Process( } } +func convertChecks(checks []pssutils.PSSCheckResult, kind string) (newChecks []pssutils.PSSCheckResult) { + if kind == "DaemonSet" || kind == "Deployment" || kind == "Job" || kind == "StatefulSet" || kind == "ReplicaSet" || kind == "ReplicationController" { + for i := range checks { + for j := range *checks[i].CheckResult.ErrList { + (*checks[i].CheckResult.ErrList)[j].Field = strings.ReplaceAll((*checks[i].CheckResult.ErrList)[j].Field, "spec", "spec.template.spec") + } + } + } else if kind == "CronJob" { + for i := range checks { + for j := range *checks[i].CheckResult.ErrList { + (*checks[i].CheckResult.ErrList)[j].Field = strings.ReplaceAll((*checks[i].CheckResult.ErrList)[j].Field, "spec", "spec.jobTemplate.spec.template.spec") + } + } + } + for i := range checks { + for j := range *checks[i].CheckResult.ErrList { + (*checks[i].CheckResult.ErrList)[j].Field = strings.ReplaceAll((*checks[i].CheckResult.ErrList)[j].Field, "metadata", "spec.template.metadata") + } + } + + return checks +} + func getSpec(resource unstructured.Unstructured) (podSpec *corev1.PodSpec, metadata *metav1.ObjectMeta, err error) { kind := resource.GetKind() diff --git a/pkg/pss/evaluate.go b/pkg/pss/evaluate.go index 3d125e7fff..c4c362288d 100644 --- a/pkg/pss/evaluate.go +++ b/pkg/pss/evaluate.go @@ -2,16 +2,24 @@ package pss import ( "fmt" + "regexp" + "strconv" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/ext/wildcard" pssutils "github.com/kyverno/kyverno/pkg/pss/utils" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/pod-security-admission/api" "k8s.io/pod-security-admission/policy" ) +var ( + regexIndex = regexp.MustCompile(`\d+`) + regexStr = regexp.MustCompile(`[a-zA-Z]+`) +) + // Evaluate Pod's specified containers only and get PSSCheckResults func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PSSCheckResult) { checks := policy.DefaultChecks() @@ -30,7 +38,7 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS } if level.Version == api.LatestVersion() { - checkResult := latestVersionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec) + checkResult := latestVersionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec, policy.WithFieldErrors()) if !checkResult.Allowed { results = append(results, pssutils.PSSCheckResult{ ID: string(check.ID), @@ -47,7 +55,7 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS } else if level.Version != api.LatestVersion() && level.Version.Older(versionCheck.MinimumVersion) { continue } - checkResult := versionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec) + checkResult := versionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec, policy.WithFieldErrors()) // Append only if the checkResult is not already in pssCheckResult if !checkResult.Allowed { results = append(results, pssutils.PSSCheckResult{ @@ -61,9 +69,14 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS return results } -func exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults []pssutils.PSSCheckResult, exclude kyvernov1.PodSecurityStandard) []pssutils.PSSCheckResult { +func exemptExclusions(defaultCheckResults, excludeCheckResults []pssutils.PSSCheckResult, exclude kyvernov1.PodSecurityStandard, pod *corev1.Pod, matching *corev1.Pod, isContainerLevelExclusion bool) ([]pssutils.PSSCheckResult, error) { defaultCheckResultsMap := make(map[string]pssutils.PSSCheckResult, len(defaultCheckResults)) + if err := exclude.Validate(exclude); err != nil { + fmt.Print(err) + return nil, err + } + for _, result := range defaultCheckResults { defaultCheckResultsMap[result.ID] = result } @@ -71,7 +84,70 @@ func exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults []pssutils. for _, excludeResult := range excludeCheckResults { for _, checkID := range pssutils.PSS_controls_to_check_id[exclude.ControlName] { if excludeResult.ID == checkID { - delete(defaultCheckResultsMap, checkID) + for _, excludeFieldErr := range *excludeResult.CheckResult.ErrList { + var excludeField, excludeContainerType string + var excludeIndexes []int + var isContainerLevelField bool = false + var excludeContainer corev1.Container + + if isContainerLevelExclusion { + excludeField, excludeIndexes, excludeContainerType, isContainerLevelField = parseField(excludeFieldErr.Field) + } else { + excludeField = regexIndex.ReplaceAllString(excludeFieldErr.Field, "*") + } + + if isContainerLevelField { + excludeContainer = getContainerInfo(matching, excludeIndexes[0], excludeContainerType) + } + excludeBadValues := extractBadValues(excludeFieldErr) + + if excludeField == exclude.RestrictedField || len(exclude.RestrictedField) == 0 { + flag := true + if len(exclude.Values) != 0 { + for _, badValue := range excludeBadValues { + if !wildcard.CheckPatterns(exclude.Values, badValue) { + flag = false + break + } + } + } + if flag { + defaultCheckResult := defaultCheckResultsMap[checkID] + if defaultCheckResult.CheckResult.ErrList != nil { + for idx, defaultFieldErr := range *defaultCheckResult.CheckResult.ErrList { + var defaultField, defaultContainerType string + var defaultIndexes []int + var isContainerLevelField bool = false + var defaultContainer corev1.Container + + if isContainerLevelExclusion { + defaultField, defaultIndexes, defaultContainerType, isContainerLevelField = parseField(defaultFieldErr.Field) + } else { + defaultField = regexIndex.ReplaceAllString(defaultFieldErr.Field, "*") + } + + if isContainerLevelField { + defaultContainer = getContainerInfo(pod, defaultIndexes[0], defaultContainerType) + if excludeField == defaultField && excludeContainer.Name == defaultContainer.Name { + remove(defaultCheckResult.CheckResult.ErrList, idx) + break + } + } else { + if excludeField == defaultField { + remove(defaultCheckResult.CheckResult.ErrList, idx) + break + } + } + } + if len(*defaultCheckResult.CheckResult.ErrList) == 0 { + delete(defaultCheckResultsMap, checkID) + } else { + defaultCheckResultsMap[checkID] = defaultCheckResult + } + } + } + } + } } } } @@ -81,7 +157,65 @@ func exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults []pssutils. newDefaultCheckResults = append(newDefaultCheckResults, result) } - return newDefaultCheckResults + return newDefaultCheckResults, nil +} + +func extractBadValues(excludeFieldErr *field.Error) []string { + var excludeBadValues []string + + switch excludeFieldErr.BadValue.(type) { + case string: + badValue := excludeFieldErr.BadValue.(string) + if badValue == "" { + break + } + excludeBadValues = append(excludeBadValues, badValue) + case bool: + excludeBadValues = append(excludeBadValues, strconv.FormatBool(excludeFieldErr.BadValue.(bool))) + case int: + excludeBadValues = append(excludeBadValues, strconv.Itoa(excludeFieldErr.BadValue.(int))) + case []string: + excludeBadValues = append(excludeBadValues, excludeFieldErr.BadValue.([]string)...) + } + + return excludeBadValues +} + +func remove(s *field.ErrorList, i int) { + (*s)[i] = (*s)[len(*s)-1] + *s = (*s)[:len(*s)-1] +} + +func isContainerType(str string) bool { + return str == "containers" || str == "initContainers" || str == "ephemeralContainers" +} + +func parseField(field string) (string, []int, string, bool) { + matchesIdx := regexIndex.FindAllStringSubmatch(field, -1) + matchesStr := regexStr.FindAllString(field, -1) + field = regexIndex.ReplaceAllString(field, "*") + var indexes []int + for _, match := range matchesIdx { + index, _ := strconv.Atoi(match[0]) + indexes = append(indexes, index) + } + return field, indexes, matchesStr[1], isContainerType(matchesStr[1]) +} + +func getContainerInfo(pod *corev1.Pod, index int, containerType string) corev1.Container { + var container corev1.Container + + switch { + case containerType == "containers": + container = pod.Spec.Containers[index] + case containerType == "initContainers": + container = pod.Spec.InitContainers[index] + case containerType == "ephemeralContainers": + container = (corev1.Container)(pod.Spec.EphemeralContainers[index].EphemeralContainerCommon) + default: + } + + return container } func parseVersion(rule *kyvernov1.PodSecurity) (*api.LevelVersion, error) { @@ -119,17 +253,19 @@ func EvaluatePod(rule *kyvernov1.PodSecurity, pod *corev1.Pod) (bool, []pssutils switch { // exclude pod level checks case spec != nil: + isContainerLevelExclusion := false excludeCheckResults := evaluatePSS(levelVersion, *spec) - defaultCheckResults = exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults, exclude) + defaultCheckResults, err = exemptExclusions(defaultCheckResults, excludeCheckResults, exclude, pod, matching, isContainerLevelExclusion) // exclude container level checks default: + isContainerLevelExclusion := true excludeCheckResults := evaluatePSS(levelVersion, *matching) - defaultCheckResults = exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults, exclude) + defaultCheckResults, err = exemptExclusions(defaultCheckResults, excludeCheckResults, exclude, pod, matching, isContainerLevelExclusion) } } - return len(defaultCheckResults) == 0, defaultCheckResults, nil + return (len(defaultCheckResults) == 0 && err == nil), defaultCheckResults, err } // GetPodWithMatchingContainers extracts matching container/pod info by the given exclude rule @@ -185,7 +321,32 @@ func GetRestrictedFields(check policy.Check) []pssutils.RestrictedField { func FormatChecksPrint(checks []pssutils.PSSCheckResult) string { var str string for _, check := range checks { - str += fmt.Sprintf("(%+v)\n", check.CheckResult) + str += fmt.Sprintf("\n(Forbidden reason: %s, field error list: [", check.CheckResult.ForbiddenReason) + for idx, err := range *check.CheckResult.ErrList { + badValueExist := true + switch err.BadValue.(type) { + case string: + badValue := err.BadValue.(string) + if badValue == "" { + badValueExist = false + } + default: + } + switch err.Type { + case field.ErrorTypeForbidden: + if badValueExist { + str += fmt.Sprintf("%s is forbidden, don't set the BadValue: %+v", err.Field, err.BadValue) + } else { + str += err.Error() + } + default: + str += err.Error() + } + if idx != len(*check.CheckResult.ErrList)-1 { + str += ", " + } + } + str += "])" } return str } diff --git a/pkg/pss/evaluate_test.go b/pkg/pss/evaluate_test.go index b215f4cfe8..486fc3acb8 100644 --- a/pkg/pss/evaluate_test.go +++ b/pkg/pss/evaluate_test.go @@ -180,6 +180,80 @@ var baseline_hostProcess = []testCase{ }`), allowed: true, }, + { + name: "baseline_hostProcess_defines_initcontainer_only_violate_true", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "HostProcess", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "windowsOptions": { + "hostProcess": true + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_hostProcess_defines_ephemeralcontainer_only_violate_true", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "HostProcess", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "windowsOptions": { + "hostProcess": true + } + } + } + ] + } + }`), + allowed: true, + }, { name: "baseline_hostProcess_defines_container_only_violate_false", rawRule: []byte(` @@ -217,6 +291,158 @@ var baseline_hostProcess = []testCase{ }`), allowed: true, }, + { + name: "baseline_hostProcess_defines_initContainer_&_ephemeralContainer_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "HostProcess", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.windowsOptions.hostProcess", + "values": [ + "true" + ] + }, + { + "controlName": "HostProcess", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.windowsOptions.hostProcess", + "values": [ + "true" + ] + }, + { + "controlName": "HostProcess", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess", + "values": [ + "true" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "windowsOptions": { + "hostProcess": true + } + } + } + ], + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "windowsOptions": { + "hostProcess": true + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "windowsOptions": { + "hostProcess": true + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_hostProcess_defines_initContainer_&_ephemeralContainer_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "HostProcess", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.windowsOptions.hostProcess", + "values": ["true"] + }, + { + "controlName": "HostProcess", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.windowsOptions.hostProcess", + "values": ["true"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "windowsOptions": { + "hostProcess": true + } + } + } + ], + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "windowsOptions": { + "hostProcess": true + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "windowsOptions": { + "hostProcess": true + } + } + } + ] + } + }`), + allowed: false, + }, { name: "baseline_hostProcess_defines_spec_only_violate_true", rawRule: []byte(` @@ -251,6 +477,35 @@ var baseline_hostProcess = []testCase{ }`), allowed: true, }, + { + name: "baseline_hostProcess_defines_spec_blocked_with_no_exclusion", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24" + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "windowsOptions": { + "hostProcess": true + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx:1.2.3" + } + ] + } + }`), + allowed: false, + }, { name: "baseline_hostProcess_defines_spec_only_violate_false", rawRule: []byte(` @@ -731,7 +986,7 @@ var baseline_privileged = []testCase{ allowed: false, }, { - name: "baseline_privileged_defines_initContainer_violate_true", + name: "baseline_privileged_defines_initContainer_&_ephemeralContainer_violate_true", rawRule: []byte(` { "level": "baseline", @@ -769,11 +1024,144 @@ var baseline_privileged = []testCase{ "privileged": true } } + ], + "ephemeralContainers": [ + { + "name": "nginx-ephemeral", + "image": "nginx", + "securityContext": { + "privileged": true + } + } ] } }`), allowed: true, }, + { + name: "baseline_privileged_defines_initContainer_&_ephemeralContainer_violate_true_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Privileged Containers", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.privileged", + "values": [ + "true" + ] + }, + { + "controlName": "Privileged Containers", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.privileged", + "values": [ + "true" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "privileged": false + } + } + ], + "initContainers": [ + { + "name": "nginx-init", + "image": "nginx", + "securityContext": { + "privileged": true + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx-ephemeral", + "image": "nginx", + "securityContext": { + "privileged": true + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_privileged_defines_initContainer_&_ephemeralContainer_violate_true_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Privileged Containers", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.privileged", + "values": [ + "true" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "privileged": false + } + } + ], + "initContainers": [ + { + "name": "nginx-init", + "image": "nginx", + "securityContext": { + "privileged": true + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx-ephemeral", + "image": "nginx", + "securityContext": { + "privileged": true + } + } + ] + } + }`), + allowed: false, + }, } var baseline_capabilities = []testCase{ @@ -855,6 +1243,251 @@ var baseline_capabilities = []testCase{ }`), allowed: true, }, + { + name: "baseline_capabilities_foo_defines_container_violate_true", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "capabilities": { + "add": [ + "FOO", "BAR" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_capabilities_foo_defines_container_allow_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.capabilities.add", + "values": ["FOO", "BAR"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "capabilities": { + "add": [ + "FOO", "BAR" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_capabilities_foo_defines_initContainer_&_ephemeralContainer_allow_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.capabilities.add", + "values": ["FOO", "BAR"] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.capabilities.add", + "values": ["FOO", "BAZ"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "capabilities": { + "add": [ + "FOO", "BAR" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "capabilities": { + "add": [ + "FOO", "BAZ" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_capabilities_foo_defines_initContainer_&_ephemeralContainer_allow_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.capabilities.add", + "values": ["FOO", "BAR"] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.capabilities.add", + "values": ["FOO", "BAR"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "capabilities": { + "add": [ + "FOO", "BAR" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "capabilities": { + "add": [ + "FOO", "BAZ" + ] + } + } + } + ] + } + }`), + allowed: false, + }, + { + name: "baseline_capabilities_foo_defines_container_allow_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.capabilities.add", + "values": ["FOO"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "capabilities": { + "add": [ + "FOO", "BAR" + ] + } + } + } + ] + } + }`), + allowed: false, + }, { name: "baseline_capabilities_defines_container_none", rawRule: []byte(` @@ -1234,6 +1867,211 @@ var baseline_host_ports = []testCase{ }`), allowed: true, }, + { + name: "baseline_host_ports_define_different_values", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Host Ports", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "ports": [ + { + "hostPort": 10, + "hostPort": 20 + } + ] + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_host_ports_initContainer_&_ephemeralContainer_define_different_values_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Host Ports", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].ports[*].hostPort", + "values": [ + "10", "20" + ] + }, + { + "controlName": "Host Ports", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].ports[*].hostPort", + "values": [ + "10", "20" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "ports": [ + { + "hostPort": 10, + "hostPort": 20 + } + ] + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "ports": [ + { + "hostPort": 10, + "hostPort": 20 + } + ] + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_host_ports_initContainer_&_ephemeralContainer_define_different_values_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Host Ports", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].ports[*].hostPort", + "values": [ + "10", "20" + ] + }, + { + "controlName": "Host Ports", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].ports[*].hostPort", + "values": [ + "10" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "ports": [ + { + "hostPort": 10, + "hostPort": 20 + } + ] + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "ports": [ + { + "hostPort": 20 + } + ] + } + ] + } + }`), + allowed: false, + }, + { + name: "baseline_host_ports_define_different_values_allow_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Host Ports", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].ports.hostPort", + "values": ["-1"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "ports": [ + { + "hostPort": 10, + "hostPort": 20 + } + ] + } + ] + } + }`), + allowed: false, + }, { name: "baseline_host_ports_undefined", rawRule: []byte(` @@ -1362,6 +2200,149 @@ var baseline_appArmor = []testCase{ }`), allowed: true, }, + { + name: "baseline_appArmor_defines_multiple_violate_true", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "AppArmor" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test", + "annotations": { + "container.apparmor.security.beta.kubernetes.io/": "bogus", + "container.apparmor.security.beta.kubernetes.io/a": "", + "container.apparmor.security.beta.kubernetes.io/b": "runtime/default", + "container.apparmor.security.beta.kubernetes.io/c": "localhost/", + "container.apparmor.security.beta.kubernetes.io/d": "localhost/foo", + "container.apparmor.security.beta.kubernetes.io/e": "unconfined", + "container.apparmor.security.beta.kubernetes.io/f": "unknown" + } + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_appArmor_defines_multiple_allow_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "AppArmor", + "restrictedField": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/]", + "values": ["bogus"] + }, + { + "controlName": "AppArmor", + "restrictedField": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/a]", + "values": ["bogus"] + }, + { + "controlName": "AppArmor", + "restrictedField": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/e]", + "values": ["unconfined"] + }, + { + "controlName": "AppArmor", + "restrictedField": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/f]", + "values": ["unknown"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test", + "annotations": { + "container.apparmor.security.beta.kubernetes.io/": "bogus", + "container.apparmor.security.beta.kubernetes.io/a": "", + "container.apparmor.security.beta.kubernetes.io/b": "runtime/default", + "container.apparmor.security.beta.kubernetes.io/c": "localhost/", + "container.apparmor.security.beta.kubernetes.io/d": "localhost/foo", + "container.apparmor.security.beta.kubernetes.io/e": "unconfined", + "container.apparmor.security.beta.kubernetes.io/f": "unknown" + } + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_appArmor_defines_multiple_allow_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "AppArmor", + "restrictedField": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/]", + "values": ["bogus"] + }, + { + "controlName": "AppArmor", + "restrictedField": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/a]", + "values": ["bogus"] + }, + { + "controlName": "AppArmor", + "restrictedField": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/e]", + "values": ["unconfined"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test", + "annotations": { + "container.apparmor.security.beta.kubernetes.io/": "bogus", + "container.apparmor.security.beta.kubernetes.io/a": "", + "container.apparmor.security.beta.kubernetes.io/b": "runtime/default", + "container.apparmor.security.beta.kubernetes.io/c": "localhost/", + "container.apparmor.security.beta.kubernetes.io/d": "localhost/foo", + "container.apparmor.security.beta.kubernetes.io/e": "unconfined", + "container.apparmor.security.beta.kubernetes.io/f": "unknown" + } + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: false, + }, { name: "baseline_appArmor_not_match_block", rawRule: []byte(` @@ -1469,7 +2450,7 @@ var baseline_seLinux = []testCase{ ] } }`), - allowed: true, + allowed: false, }, { name: "baseline_seLinux_type_defines_all_violate_true_2", @@ -1480,6 +2461,12 @@ var baseline_seLinux = []testCase{ "exclude": [ { "controlName": "SELinux" + }, + { + "controlName": "SELinux", + "images": [ + "nginx" + ] } ] }`), @@ -1661,6 +2648,44 @@ var baseline_seLinux = []testCase{ }`), allowed: true, }, + { + name: "baseline_seLinux_type_defines_spec", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "restrictedField": "spec.securityContext.seLinuxOptions.type", + "values": [ + "fake_value" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seLinuxOptions": { + "type": "fake_value" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, { name: "baseline_seLinux_type_defines_spec_violate_false", rawRule: []byte(` @@ -1695,6 +2720,540 @@ var baseline_seLinux = []testCase{ }`), allowed: true, }, + { + name: "baseline_seLinux_type_defines_bad_spec_violate_false", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seLinuxOptions": { + "type": "bad" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seLinux_type_defines_bad_spec_allow_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "restrictedField": "spec.securityContext.seLinuxOptions.type", + "values": ["bad"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seLinuxOptions": { + "type": "bad" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seLinux_type_defines_bad_spec_allow_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "restrictedField": "spec.securityContext.seLinuxOptions.type", + "values": ["good"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seLinuxOptions": { + "type": "bad" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: false, + }, + { + name: "baseline_seLinux_type_securityContext_nil_violate_false", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "a", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "container_t" + } + } + }, + { + "name": "b", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "container_init_t" + } + } + }, + { + "name": "c", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "container_kvm_t" + } + } + }, + { + "name": "d", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "bar" + } + } + }, + { + "name": "e", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "user": "bar" + } + } + }, + { + "name": "f", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "role": "baz" + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seLinux_type_securityContext_nil_allow_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seLinuxOptions.type", + "values": ["bar"] + }, + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seLinuxOptions.user", + "values": ["bar"] + }, + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seLinuxOptions.role", + "values": ["baz"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "a", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "container_t" + } + } + }, + { + "name": "b", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "container_init_t" + } + } + }, + { + "name": "c", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "container_kvm_t" + } + } + }, + { + "name": "d", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "bar" + } + } + }, + { + "name": "e", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "user": "bar" + } + } + }, + { + "name": "f", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "role": "baz" + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seLinux_type_securityContext_nil_allow_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seLinuxOptions.type", + "values": ["bar"] + }, + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seLinuxOptions.user", + "values": ["bar"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "a", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "container_t" + } + } + }, + { + "name": "b", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "container_init_t" + } + } + }, + { + "name": "c", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "container_kvm_t" + } + } + }, + { + "name": "d", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "bar" + } + } + }, + { + "name": "e", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "user": "bar" + } + } + }, + { + "name": "f", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "role": "baz" + } + } + } + ] + } + }`), + allowed: false, + }, + { + name: "baseline_seLinux_type_securityContext_initContainer_&_ephemeralContainer_nil_allow_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seLinuxOptions.type", + "values": ["bar"] + }, + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.seLinuxOptions.user", + "values": ["bar"] + }, + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.seLinuxOptions.role", + "values": ["bar"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "a", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "bar" + } + } + } + ], + "initContainers": [ + { + "name": "a", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "user": "bar" + } + } + } + ], + "ephemeralContainers": [ + { + "name": "a", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "role": "bar" + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seLinux_type_securityContext_initContainer_&_ephemeralContainer_nil_allow_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seLinuxOptions.type", + "values": ["bar"] + }, + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.seLinuxOptions.user", + "values": ["bar"] + }, + { + "controlName": "SELinux", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.seLinuxOptions.role", + "values": ["baz"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "a", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "type": "bar" + } + } + } + ], + "initContainers": [ + { + "name": "a", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "user": "bar" + } + } + } + ], + "ephemeralContainers": [ + { + "name": "a", + "image": "nginx", + "securityContext": { + "seLinuxOptions": { + "role": "bar" + } + } + } + ] + } + }`), + allowed: false, + }, { name: "baseline_seLinux_type_not_match_pass", rawRule: []byte(` @@ -1900,6 +3459,218 @@ var baseline_seLinux = []testCase{ }`), allowed: true, }, + { + name: "baseline_seLinux_user_defines_bad_spec_violate_true", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seLinuxOptions": { + "user": "bad" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seLinux_user_defines_bad_spec_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "restrictedField": "spec.securityContext.seLinuxOptions.user", + "values": ["bad"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seLinuxOptions": { + "user": "bad" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seLinux_user_defines_bad_spec_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "restrictedField": "spec.securityContext.seLinuxOptions.user", + "values": ["good"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seLinuxOptions": { + "user": "bad" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: false, + }, + { + name: "baseline_seLinux_role_defines_bad_spec_violate_true", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seLinuxOptions": { + "role": "bad" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seLinux_role_defines_bad_spec_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "restrictedField": "spec.securityContext.seLinuxOptions.role", + "values": ["bad"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seLinuxOptions": { + "role": "bad" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seLinux_role_defines_bad_spec_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "SELinux", + "restrictedField": "spec.securityContext.seLinuxOptions.role", + "values": ["good"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seLinuxOptions": { + "role": "bad" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: false, + }, { name: "baseline_seLinux_role_defines_container_violate_true", rawRule: []byte(` @@ -2042,6 +3813,295 @@ var baseline_procMount = []testCase{ }`), allowed: true, }, + { + name: "baseline_procMount_defines_multiple_violate_true", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "/proc Mount Type", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "Default" + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "Unmasked" + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "other" + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_procMount_defines_multiple_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "/proc Mount Type", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.procMount", + "values": ["Unmasked", "other"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "Default" + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "Unmasked" + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "other" + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_procMount_defines_multiple_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "/proc Mount Type", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.procMount", + "values": ["Unmasked"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "Default" + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "Unmasked" + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "other" + } + } + ] + } + }`), + allowed: false, + }, + { + name: "baseline_procMount_defines_multiple_initContainer_&_ephemeralContainer_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "/proc Mount Type", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.procMount", + "values": ["Unmasked"] + }, + { + "controlName": "/proc Mount Type", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.procMount", + "values": ["other"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "Unmasked" + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "other" + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_procMount_defines_multiple_initContainer_&_ephemeralContainer_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "/proc Mount Type", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.procMount", + "values": ["Unmasked"] + }, + { + "controlName": "/proc Mount Type", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.procMount", + "values": ["others"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "Unmasked" + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "procMount": "other" + } + } + ] + } + }`), + allowed: false, + }, { name: "baseline_procMount_not_match_pass", rawRule: []byte(` @@ -2311,6 +4371,415 @@ var baseline_seccompProfile = []testCase{ }`), allowed: true, }, + { + name: "baseline_seccompProfile_metadata_annotations_allow_unconfined", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.0" + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seccompProfile_defines_multiple_all_violate_true", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.19", + "exclude": [ + { + "controlName": "Seccomp" + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": null + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": {} + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Localhost" + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seccompProfile_defines_multiple_all_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.19", + "exclude": [ + { + "controlName": "Seccomp", + "restrictedField": "spec.securityContext.seccompProfile.type", + "values": ["Unconfined"] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seccompProfile.type", + "values": ["Unconfined"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": null + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": {} + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Localhost" + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seccompProfile_defines_multiple_all_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.19", + "exclude": [ + { + "controlName": "Seccomp", + "restrictedField": "spec.securityContext.seccompProfile.type", + "values": ["unknown"] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seccompProfile.type", + "values": ["Unconfined"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": null + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": {} + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Localhost" + } + } + } + ] + } + }`), + allowed: false, + }, + { + name: "baseline_seccompProfile_defines_multiple_initContainer_&_ephemeralContainer_all_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.19", + "exclude": [ + { + "controlName": "Seccomp", + "restrictedField": "spec.securityContext.seccompProfile.type", + "values": ["Unconfined"] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.seccompProfile.type", + "values": ["Unconfined"] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.seccompProfile.type", + "values": ["Unconfined"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seccompProfile_defines_multiple_initContainer_&_ephemeralContainer_all_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.19", + "exclude": [ + { + "controlName": "Seccomp", + "restrictedField": "spec.securityContext.seccompProfile.type", + "values": ["Unconfined"] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.seccompProfile.type", + "values": ["Unconfined"] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.seccompProfile.type", + "values": ["unknown"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + } + } + } + ] + } + }`), + allowed: false, + }, { name: "baseline_seccompProfile_defines_container_violate_true", rawRule: []byte(` @@ -2349,7 +4818,7 @@ var baseline_seccompProfile = []testCase{ allowed: true, }, { - name: "baseline_seccompProfile_defines_container_violate_false", + name: "baseline_seccompProfile_defines_container_allowed_positive", rawRule: []byte(` { "level": "baseline", @@ -2359,11 +4828,84 @@ var baseline_seccompProfile = []testCase{ "controlName": "Seccomp", "images": [ "nginx" - ] + ], + "restrictedField": "spec.containers[*].securityContext.seccompProfile.type", + "values": ["fake"] } ] }`), rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "fake" + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seccompProfile_defines_container_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seccompProfile.type", + "values": ["real"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "fake" + } + } + } + ] + } + }`), + allowed: false, + }, + { + name: "baseline_seccompProfile_defines_container_violate_false", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + + ] + }`), + rawPod: []byte(` { "kind": "Pod", "metadata": { @@ -2420,18 +4962,85 @@ var baseline_seccompProfile = []testCase{ allowed: true, }, { - name: "baseline_seccompProfile_defines_spec_violate_false", + name: "baseline_seccompProfile_defines_spec_allowed_positive", rawRule: []byte(` { "level": "baseline", "version": "v1.24", "exclude": [ { - "controlName": "Seccomp" + "controlName": "Seccomp", + "restrictedField": "spec.securityContext.seccompProfile.type", + "values": ["fake"] } ] }`), rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "fake" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_seccompProfile_defines_spec_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "restrictedField": "spec.securityContext.seccompProfile.type", + "values": ["true"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "fake" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: false, + }, + { + name: "baseline_seccompProfile_defines_spec_violate_false", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24" + }`), + rawPod: []byte(` { "kind": "Pod", "metadata": { @@ -2521,6 +5130,44 @@ var baseline_sysctls = []testCase{ }`), allowed: true, }, + { + name: "baseline_sysctls_defines_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Sysctls", + "restrictedField": "spec.securityContext.sysctls[*].name", + "values": ["fake.value"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "sysctls": [ + { + "name": "fake.value" + } + ] + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, { name: "baseline_sysctls_defines_violate_false", rawRule: []byte(` @@ -2557,6 +5204,281 @@ var baseline_sysctls = []testCase{ }`), allowed: true, }, + { + name: "baseline_sysctls_multiple_sysctls_pass", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.0", + "exclude": [ + { + "controlName": "Sysctls" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "sysctls": [ + { + "name": "a" + }, + { + "name": "b" + } + ] + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_sysctls_multiple_sysctls_pass_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.0", + "exclude": [ + { + "controlName": "Sysctls", + "restrictedField": "spec.securityContext.sysctls[*].name", + "values": ["a", "b"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "sysctls": [ + { + "name": "a" + }, + { + "name": "b" + } + ] + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_sysctls_multiple_sysctls_pass_allowed_negative", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.0", + "exclude": [ + { + "controlName": "Sysctls", + "restrictedField": "spec.securityContext.sysctls[*].name", + "values": ["a"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "sysctls": [ + { + "name": "a" + }, + { + "name": "b" + } + ] + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: false, + }, + { + name: "baseline_sysctls_new_sysctls_pass", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.0", + "exclude": [ + { + "controlName": "Sysctls" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_local_reserved_ports" + } + ] + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_sysctls_new_sysctls_pass_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.0", + "exclude": [ + { + "controlName": "Sysctls", + "restrictedField": "spec.securityContext.sysctls[*].name", + "values": ["net.ipv4.ip_local_reserved_ports"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_local_reserved_ports" + } + ] + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_sysctls_multiple_sysctls_pass_v1.24", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Sysctls" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "sysctls": [ + { + "name": "a" + }, + { + "name": "b" + } + ] + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, + { + name: "baseline_sysctls_multiple_sysctls_pass_v1.24_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Sysctls", + "restrictedField": "spec.securityContext.sysctls[*].name", + "values": ["a", "b"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "sysctls": [ + { + "name": "a" + }, + { + "name": "b" + } + ] + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, { name: "baseline_sysctls_not_match_pass", rawRule: []byte(` @@ -2593,6 +5515,44 @@ var baseline_sysctls = []testCase{ }`), allowed: true, }, + { + name: "baseline_sysctls_not_match_pass_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "restrictedField": "spec.securityContext.sysctls[*].name", + "values": ["kernel.shm_rmid_forced"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "sysctls": [ + { + "name": "kernel.shm_rmid_forced" + } + ] + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, { name: "baseline_sysctls_not_match_block", rawRule: []byte(` @@ -2629,6 +5589,44 @@ var baseline_sysctls = []testCase{ }`), allowed: false, }, + { + name: "baseline_sysctls_not_match_block_allowed_positive", + rawRule: []byte(` + { + "level": "baseline", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "restrictedField": "spec.securityContext.sysctls[*].name", + "values": ["fake.value"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "sysctls": [ + { + "name": "fake.value" + } + ] + }, + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: false, + }, } var restricted_volume_types = []testCase{ @@ -2683,7 +5681,10 @@ var restricted_volume_types = []testCase{ "version": "v1.24", "exclude": [ { - "controlName": "Running as Non-root" + "controlName": "Running as Non-root", + "images": [ + "nginx" + ] } ] }`), @@ -2923,6 +5924,380 @@ var restricted_volume_types = []testCase{ }`), allowed: false, }, + { + name: "restricted_volume_types_defines_violate_true_not_match_block", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Volume Types" + }, + { + "controlName": "HostPath Volumes" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": true, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ], + "volumes": [ + { + "emptyDir": {} + }, + { + "secret": {} + }, + { + "persistentVolumeClaim": {} + }, + { + "downwardAPI": {} + }, + { + "configMap": {} + }, + { + "projected": {} + }, + { + "csi": {} + }, + { + "ephemeral": {} + }, + { + "hostPath": {} + }, + { + "awsElasticBlockStore": {} + }, + { + "gitRepo": {} + }, + { + "nfs": {} + }, + { + "iscsi": {} + }, + { + "glusterfs": {} + }, + { + "rbd": {} + }, + { + "flexVolume": {} + }, + { + "cinder": {} + }, + { + "cephfs": {} + }, + { + "flocker": {} + }, + { + "fc": {} + }, + { + "azureFile": {} + }, + { + "vsphereVolume": {} + }, + { + "quobyte": {} + }, + { + "azureDisk": {} + }, + { + "photonPersistentDisk": {} + }, + { + "portworxVolume": {} + }, + { + "scaleIO": {} + }, + { + "storageos": {} + }, + { + "unknown": {} + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_volume_types_defines_allow_positive", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].awsElasticBlockStore", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].azureDisk", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].azureFile", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].cephfs", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].cinder", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].fc", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].flexVolume", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].flocker", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].gitRepo", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].glusterfs", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].hostPath", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].iscsi", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].nfs", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].photonPersistentDisk", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].portworxVolume", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].quobyte", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].rbd", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].scaleIO", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].storageos", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].unknown", + "values": [""] + }, + { + "controlName": "Volume Types", + "restrictedField": "spec.volumes[*].vsphereVolume", + "values": [""] + }, + { + "controlName": "HostPath Volumes", + "restrictedField": "spec.volumes[*].hostPath", + "values": [""] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": true, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ], + "volumes": [ + { + "emptyDir": {} + }, + { + "secret": {} + }, + { + "persistentVolumeClaim": {} + }, + { + "downwardAPI": {} + }, + { + "configMap": {} + }, + { + "projected": {} + }, + { + "csi": {} + }, + { + "ephemeral": {} + }, + { + "hostPath": {} + }, + { + "awsElasticBlockStore": {} + }, + { + "gitRepo": {} + }, + { + "nfs": {} + }, + { + "iscsi": {} + }, + { + "glusterfs": {} + }, + { + "rbd": {} + }, + { + "flexVolume": {} + }, + { + "cinder": {} + }, + { + "cephfs": {} + }, + { + "flocker": {} + }, + { + "fc": {} + }, + { + "azureFile": {} + }, + { + "vsphereVolume": {} + }, + { + "quobyte": {} + }, + { + "azureDisk": {} + }, + { + "photonPersistentDisk": {} + }, + { + "portworxVolume": {} + }, + { + "scaleIO": {} + }, + { + "storageos": {} + }, + { + "unknown": {} + } + ] + } + }`), + allowed: true, + }, } var restricted_privilege_escalation = []testCase{ @@ -3110,6 +6485,290 @@ var restricted_privilege_escalation = []testCase{ allowed: true, }, + { + name: "restricted_privilege_escalation_defines_container_violate_none", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": null, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": true, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + + { + name: "restricted_privilege_escalation_defines_container_allow_negative", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.allowPrivilegeEscalation", + "values": ["falses"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": null, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": true, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, + + { + name: "restricted_privilege_escalation_defines_initContainer_&_ephemeralContainer_allow_positive", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.allowPrivilegeEscalation", + "values": ["true"] + }, + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation", + "values": ["true"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": true, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": true, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + + { + name: "restricted_privilege_escalation_defines_initContainer_&_ephemeralContainer_allow_negative", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.allowPrivilegeEscalation", + "values": ["true"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": true, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": true, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, + { name: "restricted_privilege_escalation_defines_init_container_violate_true", rawRule: []byte(` @@ -3298,6 +6957,54 @@ var restricted_privilege_escalation = []testCase{ } var restricted_runAsNonRoot = []testCase{ + { + name: "restricted_runAsNonRoot_defines_all_violate_none", + rawRule: []byte(`{ + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root", + "images": [ + "nginx" + ] + }, + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(`{ + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx" + } + ] + } + }`), + allowed: true, + }, { name: "restricted_runAsNonRoot_defines_all_violate_spec_true_container_false", rawRule: []byte(`{ @@ -3340,6 +7047,94 @@ var restricted_runAsNonRoot = []testCase{ }`), allowed: true, }, + { + name: "restricted_runAsNonRoot_defines_all_violate_spec_true_container_false_allow_positive", + rawRule: []byte(`{ + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root", + "restrictedField": "spec.securityContext.runAsNonRoot", + "values": ["false"] + } + ] + }`), + rawPod: []byte(`{ + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": false, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": true, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_runAsNonRoot_defines_all_violate_spec_true_container_false_allow_negative", + rawRule: []byte(`{ + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root", + "restrictedField": "spec.securityContext.runAsNonRoot", + "values": ["true"] + } + ] + }`), + rawPod: []byte(`{ + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": false, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": true, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, { name: "restricted_runAsNonRoot_defines_all_violate_spec_false_container_false", rawRule: []byte(`{ @@ -3383,13 +7178,175 @@ var restricted_runAsNonRoot = []testCase{ allowed: true, }, { - name: "restricted_runAsNonRoot_defines_all_violate_spec_true_container_true_spec_level", + name: "restricted_runAsNonRoot_defines_all_violate_pod_nil", rawRule: []byte(`{ "level": "restricted", "version": "v1.24", "exclude": [ { "controlName": "Running as Non-root" + }, + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + }, + { + "controlName": "Running as Non-root", + "images": [ + "nginx" + ] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(`{ + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": false, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": true, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_runAsNonRoot_defines_all_violate_multiple_container", + rawRule: []byte(`{ + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root" + }, + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(`{ + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": null, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": false + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": true + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_runAsNonRoot_defines_all_violate_spec_true_container_true_spec_level_allowed_positive", + rawRule: []byte(`{ + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.runAsNonRoot", + "values": ["false"] + }, + { + "controlName": "Running as Non-root", + "restrictedField": "spec.securityContext.runAsNonRoot", + "values": ["false"] } ] }`), @@ -3424,6 +7381,200 @@ var restricted_runAsNonRoot = []testCase{ }`), allowed: true, }, + { + name: "restricted_runAsNonRoot_defines_all_violate_spec_true_container_true_spec_level_allowed_negative", + rawRule: []byte(`{ + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.runAsNonRoot", + "values": ["true"] + }, + { + "controlName": "Running as Non-root", + "restrictedField": "spec.securityContext.runAsNonRoot", + "values": ["false"] + } + ] + }`), + rawPod: []byte(`{ + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": false, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": false, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, + { + name: "restricted_runAsNonRoot_defines_all_initContainer_&_ephemeralContainer_allowed_positive", + rawRule: []byte(`{ + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.runAsNonRoot", + "values": ["false"] + }, + { + "controlName": "Running as Non-root", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.runAsNonRoot", + "values": ["false"] + }, + { + "controlName": "Running as Non-root", + "restrictedField": "spec.securityContext.runAsNonRoot", + "values": ["false"] + } + ] + }`), + rawPod: []byte(`{ + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": false, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": false, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": false, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_runAsNonRoot_defines_all_initContainer_&_ephemeralContainer_allowed_negative", + rawRule: []byte(`{ + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.runAsNonRoot", + "values": ["false"] + }, + { + "controlName": "Running as Non-root", + "restrictedField": "spec.securityContext.runAsNonRoot", + "values": ["false"] + } + ] + }`), + rawPod: []byte(`{ + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": false, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": false, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsNonRoot": false, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, { name: "restricted_runAsNonRoot_defines_all_violate_spec_false_container_true_spec_level", rawRule: []byte(`{ @@ -3825,7 +7976,10 @@ var restricted_runAsNonRoot = []testCase{ "version": "v1.24", "exclude": [ { - "controlName": "Privilege Escalation" + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] } ] }`), @@ -3948,6 +8102,94 @@ var restricted_runAsNonRoot = []testCase{ }`), allowed: false, }, + { + name: "restricted_runAsNonRoot_defines_none", + rawRule: []byte(`{ + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_runAsNonRoot_defines_none_not_match", + rawRule: []byte(`{ + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, } var restricted_runAsUser = []testCase{ @@ -3996,6 +8238,562 @@ var restricted_runAsUser = []testCase{ }`), allowed: true, }, + { + name: "restricted_runAsUser_defines_all_violate_null_spec_level", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root user" + }, + { + "controlName": "Privilege Escalation" + }, + { + "controlName": "Capabilities" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsUser": 0, + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_runAsUser_defines_all_violate_null_spec_level_allow_positive", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root user", + "restrictedField": "spec.securityContext.runAsUser", + "values": ["0"] + }, + { + "controlName": "Privilege Escalation" + }, + { + "controlName": "Capabilities" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsUser": 0, + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_runAsUser_defines_all_violate_null_spec_level_allow_negative", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root user", + "restrictedField": "spec.securityContext.runAsUser", + "values": ["1"] + }, + { + "controlName": "Privilege Escalation" + }, + { + "controlName": "Capabilities" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsUser": 0, + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + } + ] + } + }`), + allowed: false, + }, + { + name: "restricted_runAsUser_defines_all_violate_false_multiple_containers", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root user", + "images": [ + "nginx" + ] + }, + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsUser": 1000, + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsUser": 0, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsUser": 1, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_runAsUser_defines_all_multiple_containers_allow_positive", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root user", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.runAsUser", + "values": ["0"] + }, + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsUser": 1000, + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsUser": 0, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsUser": 1, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_runAsUser_defines_all_multiple_containers_allow_negative", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root user", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.runAsUser", + "values": ["1"] + }, + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsUser": 1000, + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsUser": 0, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsUser": 1, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, + { + name: "restricted_runAsUser_defines_all_multiple_initContainer_&_ephemeralContainer_allow_positive", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root user", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.runAsUser", + "values": ["0"] + }, + { + "controlName": "Running as Non-root user", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.runAsUser", + "values": ["0"] + }, + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsUser": 1000, + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsUser": 0, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsUser": 0, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_runAsUser_defines_all_multiple_initContainer_&_ephemeralContainer_allow_negative", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Running as Non-root user", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.runAsUser", + "values": ["0"] + }, + { + "controlName": "Running as Non-root user", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.runAsUser", + "values": ["-1"] + }, + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsUser": 1000, + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsUser": 0, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "runAsUser": 0, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, { name: "restricted_runAsUser_defines_all_violate_false_spec_level", rawRule: []byte(` @@ -4409,6 +9207,50 @@ var restricted_runAsUser = []testCase{ } var restricted_seccompProfile = []testCase{ + { + name: "restricted_seccompProfile_defines_container_no_seccompProfile", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": {}, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, { name: "restricted_seccompProfile_defines_container_violate_true", rawRule: []byte(` @@ -4455,6 +9297,248 @@ var restricted_seccompProfile = []testCase{ }`), allowed: true, }, + { + name: "restricted_seccompProfile_defines_container_allow_positive", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seccompProfile.type", + "values": ["fakeValue"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "fakeValue" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_seccompProfile_defines_container_allow_negative", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seccompProfile.type", + "values": ["fake"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "fakeValue" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, + { + name: "restricted_seccompProfile_defines_initContainer_&_ephemeralContainer_allow_positive", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.seccompProfile.type", + "values": ["fake1"] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.seccompProfile.type", + "values": ["fake2"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "fake1" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "fake2" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_seccompProfile_defines_initContainer_&_ephemeralContainer_allow_negative", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.seccompProfile.type", + "values": ["fake1"] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.seccompProfile.type", + "values": ["fake1"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "fake1" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "fake2" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, { name: "restricted_seccompProfile_defines_spec_violate_true", rawRule: []byte(` @@ -4498,6 +9582,463 @@ var restricted_seccompProfile = []testCase{ }`), allowed: true, }, + { + name: "restricted_seccompProfile_defines_container_seccompProfile_type_unconfined", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "images": [ + "nginx" + ] + }, + { + "controlName": "Seccomp" + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true, + "seccompProfile": { + "type": "fakeValue" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_seccompProfile_invalid", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Seccomp", + "images": [ + "nginx" + ] + }, + { + "controlName": "Seccomp" + }, + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Localhost" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_seccompProfile_invalid_multiple_containers", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + }, + { + "controlName": "Running as Non-root", + "images": [ + "nginx" + ] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": null, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Localhost" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_seccompProfile_invalid_multiple_containers_allow_positive", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Privilege Escalation", + "images": [ + "nginx" + ] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + }, + { + "controlName": "Running as Non-root", + "images": [ + "nginx" + ] + }, + { + "controlName": "Seccomp", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.seccompProfile.type", + "values": ["Unconfined"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": null, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Localhost" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_seccompProfile_invalid_multiple_containers_allow_negative", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Privilege Escalation" + }, + { + "controlName": "Capabilities" + }, + { + "controlName": "Running as Non-root" + }, + { + "controlName": "Seccomp", + "images": [ + "nginx1" + ], + "restrictedField": "spec.containers[*].securityContext.seccompProfile.type", + "values": ["unknown"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": null, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": null + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": {} + }, + { + "name": "nginx", + "image": "nginx1", + "securityContext": { + "seccompProfile": { + "type": "Unconfined" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx1", + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "seccompProfile": { + "type": "Localhost" + }, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + } + } + } + ] + } + }`), + allowed: false, + }, { name: "restricted_seccompProfile_undefined", rawRule: []byte(` @@ -4798,6 +10339,416 @@ var restricted_capabilities = []testCase{ }`), allowed: true, }, + { + name: "restricted_capabilities_drop_defines_multiple_capabilities_violate_true", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Capabilities", + "images": [ + "nginx" + ] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + null + ], + "add": [ + "BAR", + "FOO" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "BAR", + "FOO" + ], + "add": [ + "BAR", + "BAZ" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL", + "FOO" + ], + "add": [ + "NET_BIND_SERVICE", + "CHOWN" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_capabilities_drop_defines_multiple_capabilities_allow_positive", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.capabilities.add", + "values": ["BAR", "FOO", "BAZ", "CHOWN"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ], + "add": [ + "BAR", + "FOO" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL", + "BAR", + "FOO" + ], + "add": [ + "BAR", + "BAZ" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL", + "FOO" + ], + "add": [ + "NET_BIND_SERVICE", + "CHOWN" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_capabilities_drop_defines_multiple_capabilities_allow_negative", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.containers[*].securityContext.capabilities.add", + "values": ["BAR", "FOO", "BAZ"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "containers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ], + "add": [ + "BAR", + "FOO" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL", + "BAR", + "FOO" + ], + "add": [ + "BAR", + "BAZ" + ] + } + } + }, + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL", + "FOO" + ], + "add": [ + "NET_BIND_SERVICE", + "CHOWN" + ] + } + } + } + ] + } + }`), + allowed: false, + }, + { + name: "restricted_capabilities_drop_defines_initContainer_&_ephemeralContainer_allow_positive", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.capabilities.add", + "values": ["BAR"] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.capabilities.add", + "values": ["FOO"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ], + "add": [ + "BAR" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ], + "add": [ + "FOO" + ] + } + } + } + ] + } + }`), + allowed: true, + }, + { + name: "restricted_capabilities_drop_defines_initContainer_&_ephemeralContainer_allow_negative", + rawRule: []byte(` + { + "level": "restricted", + "version": "v1.24", + "exclude": [ + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.initContainers[*].securityContext.capabilities.add", + "values": ["BAR"] + }, + { + "controlName": "Capabilities", + "images": [ + "nginx" + ], + "restrictedField": "spec.ephemeralContainers[*].securityContext.capabilities.add", + "values": ["BAR"] + } + ] + }`), + rawPod: []byte(` + { + "kind": "Pod", + "metadata": { + "name": "test" + }, + "spec": { + "securityContext": { + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "initContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ], + "add": [ + "BAR" + ] + } + } + } + ], + "ephemeralContainers": [ + { + "name": "nginx", + "image": "nginx", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ], + "add": [ + "FOO" + ] + } + } + } + ] + } + }`), + allowed: false, + }, { name: "restricted_capabilities_add_undefined_not_match_block", rawRule: []byte(` diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/report-assert.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/report-assert.yaml index d1ea83f8ed..364f0a994d 100644 --- a/test/conformance/chainsaw/reports/background/test-report-background-mode/report-assert.yaml +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/report-assert.yaml @@ -13,8 +13,9 @@ scope: namespace: default results: - category: Pod Security - message: | - Validation rule 'restricted' failed. It violates PodSecurity "restricted:latest": ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "container01" must set securityContext.capabilities.drop=["ALL"]}) + message: "Validation rule 'restricted' failed. It violates PodSecurity \"restricted:latest\": + \n(Forbidden reason: unrestricted capabilities, field error list: [spec.containers[0].securityContext.capabilities.drop: + Required value])" policy: podsecurity-subrule-restricted properties: controls: capabilities_restricted diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/README.md new file mode 100644 index 0000000000..c59ed5dd51 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Capabilities` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Capabilities` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/bad-pod.yaml new file mode 100644 index 0000000000..8b924f199a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/bad-pod.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - bar + - baz + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - baz + ephemeralContainers: + - name: nginx3 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - foo diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml new file mode 100644 index 0000000000..f31c14a3bb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-capabilities +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml new file mode 100644 index 0000000000..f150d66e51 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - baz + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/good-pod.yaml new file mode 100644 index 0000000000..ff26cffee9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/good-pod.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - CHOWN + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - FOWNER + + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy-assert.yaml new file mode 100644 index 0000000000..15c3374370 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-capabilities +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy.yaml new file mode 100644 index 0000000000..2f6900595f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-capabilities +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-capabilities + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Capabilities" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.capabilities.add" + values: + - "foo" + - controlName: "Capabilities" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.capabilities.add" + values: + - "baz" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/README.md new file mode 100644 index 0000000000..e87d5374d4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Host Namespaces` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Host Namespaces` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml new file mode 100644 index 0000000000..2719adf27a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + hostPID: true + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml new file mode 100644 index 0000000000..6a05e375f1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-host-namespaces +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml new file mode 100644 index 0000000000..e3a67396a1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + hostNetwork: true + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml new file mode 100644 index 0000000000..39fd7702e1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + hostNetwork: false + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml new file mode 100644 index 0000000000..5e3b676332 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-host-namespaces +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy.yaml new file mode 100644 index 0000000000..d4ab72b505 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-host-namespaces +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Host Namespaces" + restrictedField: "spec.hostNetwork" + values: + - "true" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/README.md new file mode 100644 index 0000000000..2d2caf46c7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Host Ports` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Host Ports` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/bad-pod.yaml new file mode 100644 index 0000000000..de32930635 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/bad-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 20 + containerPort: 80 + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 20 + containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml new file mode 100644 index 0000000000..31ffadacae --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-host-ports +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml new file mode 100644 index 0000000000..01d0611ac0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 10 + containerPort: 80 + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 20 + containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/good-pod.yaml new file mode 100644 index 0000000000..35cac2453b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/good-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 0 + containerPort: 80 + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 0 + containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy-assert.yaml new file mode 100644 index 0000000000..a137213552 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-host-ports +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy.yaml new file mode 100644 index 0000000000..6033ebdac7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-host-ports +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-host-ports + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Host Ports" + images: + - nginx + restrictedField: "spec.containers[*].ports[*].hostPort" + values: + - "10" + - controlName: "Host Ports" + images: + - nginx + restrictedField: "spec.initContainers[*].ports[*].hostPort" + values: + - "20" + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/README.md new file mode 100644 index 0000000000..15b6c2aee2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `HostPath Volumes` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml new file mode 100644 index 0000000000..e52a274da5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-hostpath-volume +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml new file mode 100644 index 0000000000..270df05f68 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + volumes: + - name: host + hostPath: + path: /var/lib1 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml new file mode 100644 index 0000000000..b5950f7a11 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml new file mode 100644 index 0000000000..f9ae6dc5af --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-hostpath-volumes +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy.yaml new file mode 100644 index 0000000000..8756065eac --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-hostpath-volumes +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-hostpath-volumes + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "HostPath Volumes" + restrictedField: "spec.volumes[*].hostPath" + values: + - "path" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/README.md new file mode 100644 index 0000000000..683dd82937 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `HostProcesses` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `HostProcesses` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml new file mode 100644 index 0000000000..7d4b74fdf9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: true + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml new file mode 100644 index 0000000000..60e01f882c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-hostprocesses +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml new file mode 100644 index 0000000000..4f9e1e0b24 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + hostNetwork: true + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: true + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml new file mode 100644 index 0000000000..e59443d173 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: false + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: false diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml new file mode 100644 index 0000000000..23cbe07db7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-hostprocess +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy.yaml new file mode 100644 index 0000000000..646a92695a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-hostprocess +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-hostprocess + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Host Namespaces" + restrictedField: "spec.hostNetwork" + values: + - "true" + - controlName: "HostProcess" + restrictedField: "spec.securityContext.windowsOptions.hostProcess" + values: + - "true" + - controlName: "HostProcess" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.windowsOptions.hostProcess" + values: + - "true" + - controlName: "HostProcess" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.windowsOptions.hostProcess" + values: + - "true" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/README.md new file mode 100644 index 0000000000..a07943a47c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Privilege Escalation` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Privilege Escalation` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml new file mode 100644 index 0000000000..fae5886b3f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml new file mode 100644 index 0000000000..4cc4f3b891 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-privilege-escalation +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml new file mode 100644 index 0000000000..de0fc8e35d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml new file mode 100644 index 0000000000..a77c3d2524 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml new file mode 100644 index 0000000000..ca0fb3dde5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-privilege-escalation +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy.yaml new file mode 100644 index 0000000000..795a9ad24d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-privilege-escalation +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-privilege-escalation + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Privilege Escalation" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.allowPrivilegeEscalation" + values: + - "true" + - controlName: "Privilege Escalation" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.allowPrivilegeEscalation" + values: + - "true" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/README.md new file mode 100644 index 0000000000..797b269c72 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Privileged Containers` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml new file mode 100644 index 0000000000..9f98299f5b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-privileged-containers +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml new file mode 100644 index 0000000000..82d287ba3b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + privileged: true + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + privileged: true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml new file mode 100644 index 0000000000..55242fc49e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + privileged: false + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: false diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml new file mode 100644 index 0000000000..754f2b3064 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-privileged-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy.yaml new file mode 100644 index 0000000000..ee775897fc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-privileged-containers +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-privileged-containers + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Privileged Containers" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.privileged" + values: + - "true" + - controlName: "Privileged Containers" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.privileged" + values: + - "true" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/README.md new file mode 100644 index 0000000000..59c07abdd1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `/proc MountType` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `/proc MountType` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/bad-pod.yaml new file mode 100644 index 0000000000..148adde34d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/bad-pod.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: unknown + initContainers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: other diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml new file mode 100644 index 0000000000..1dbb3c4cb1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-procmount +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/excluded-pod.yaml new file mode 100644 index 0000000000..0396aee149 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/excluded-pod.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: foo + # initContainers: + # - name: nginx2 + # image: nginx + # args: + # - sleep + # - 1d + # securityContext: + # procMount: bar diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/good-pod.yaml new file mode 100644 index 0000000000..3ddbae6e47 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/good-pod.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: default + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/policy-assert.yaml new file mode 100644 index 0000000000..4f48e3a387 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-procmount +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/policy.yaml new file mode 100644 index 0000000000..37c460c781 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-procmount/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-procmount +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-procmount + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "/proc Mount Type" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.procMount" + values: + - "foo" + - controlName: "/proc Mount Type" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.procMount" + values: + - "bar" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/README.md new file mode 100644 index 0000000000..9a050435fb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Capabilities` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Capabilities` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml new file mode 100644 index 0000000000..a18e0262df --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - bar + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - baz diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml new file mode 100644 index 0000000000..3618ab3150 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-restricted-capabilities +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml new file mode 100644 index 0000000000..47d53e34a2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - baz diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml new file mode 100644 index 0000000000..75d8a20084 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml new file mode 100644 index 0000000000..8e9265264a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-restricted-capabilities +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml new file mode 100644 index 0000000000..766cba4e4a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-restricted-capabilities +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-restricted-capabilities + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Capabilities" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.capabilities.add" + values: + - "foo" + - controlName: "Capabilities" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.capabilities.add" + values: + - "baz" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/README.md new file mode 100644 index 0000000000..dbc1666d30 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Seccomp` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Seccomp` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml new file mode 100644 index 0000000000..abaf76e009 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + securityContext: + seccompProfile: + type: foo + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: baz + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Localhost + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml new file mode 100644 index 0000000000..cf7c618a8e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-restricted-seccomp +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml new file mode 100644 index 0000000000..38b7005b67 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml new file mode 100644 index 0000000000..e540909a01 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml new file mode 100644 index 0000000000..fa3c8d69b8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-restricted-seccomp +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml new file mode 100644 index 0000000000..f13dd4c9a7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-restricted-seccomp +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-restricted-seccomp + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Seccomp" + restrictedField: "spec.securityContext.seccompProfile.type" + values: + - "Unconfined" + - controlName: "Seccomp" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.seccompProfile.type" + values: + - "Unconfined" + - controlName: "Seccomp" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type" + values: + - "Unconfined" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/README.md new file mode 100644 index 0000000000..4d7c2a17bc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Running as Non-root User` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Running as Non-root User` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml new file mode 100644 index 0000000000..6dd38f2701 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml new file mode 100644 index 0000000000..c3d11ab7c3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-running-as-nonroot-user +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml new file mode 100644 index 0000000000..91ac325437 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 10 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml new file mode 100644 index 0000000000..3911cedb23 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml new file mode 100644 index 0000000000..7d7d2c13c1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-running-as-non-root-user +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml new file mode 100644 index 0000000000..e5f15a04be --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-running-as-non-root-user +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-running-as-non-root-user + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Running as Non-root user" + restrictedField: "spec.securityContext.runAsUser" + values: + - "0" + - controlName: "Running as Non-root user" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.runAsUser" + values: + - "0" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/README.md new file mode 100644 index 0000000000..3ca78c89e0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Running as Non-root` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Running as Non-root` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml new file mode 100644 index 0000000000..cb3b8e9cba --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml new file mode 100644 index 0000000000..1890ea875c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-running-as-nonroot +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml new file mode 100644 index 0000000000..81e0db391e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml new file mode 100644 index 0000000000..a77c3d2524 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml new file mode 100644 index 0000000000..df09dc96cc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-running-as-non-root +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml new file mode 100644 index 0000000000..a52ba806b3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-running-as-non-root +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-running-as-non-root + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Running as Non-root" + restrictedField: "spec.securityContext.runAsNonRoot" + values: + - "false" + - controlName: "Running as Non-root" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.runAsNonRoot" + values: + - "false" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/README.md new file mode 100644 index 0000000000..05d0308040 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Seccomp` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Seccomp` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/bad-pod.yaml new file mode 100644 index 0000000000..1d082f4bf2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/bad-pod.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + securityContext: + seccompProfile: + type: foo + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: baz + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Localhost diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml new file mode 100644 index 0000000000..1b2c1061e3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-seccomp +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml new file mode 100644 index 0000000000..b0d349eb6a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/good-pod.yaml new file mode 100644 index 0000000000..d33891a772 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/good-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy-assert.yaml new file mode 100644 index 0000000000..60894fe185 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-seccomp +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml new file mode 100644 index 0000000000..77a97aaa6f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-seccomp +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-seccomp + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Seccomp" + restrictedField: "spec.securityContext.seccompProfile.type" + values: + - "Unconfined" + - controlName: "Seccomp" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.seccompProfile.type" + values: + - "Unconfined" + - controlName: "Seccomp" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type" + values: + - "Unconfined" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/README.md new file mode 100644 index 0000000000..a9f2af0d65 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `SELinux` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `SELinux` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/bad-pod.yaml new file mode 100644 index 0000000000..c16b79179e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/bad-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: bar + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: foo diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml new file mode 100644 index 0000000000..2136f8d365 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-selinux +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/excluded-pod.yaml new file mode 100644 index 0000000000..4ea456cd77 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/excluded-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: bar diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/good-pod.yaml new file mode 100644 index 0000000000..a5995c22df --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/good-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy-assert.yaml new file mode 100644 index 0000000000..9a05399776 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-selinux +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy.yaml new file mode 100644 index 0000000000..7402f47910 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-selinux +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-selinux + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "SELinux" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.seLinuxOptions.type" + values: + - "foo" + - controlName: "SELinux" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.seLinuxOptions.type" + values: + - "bar" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/README.md new file mode 100644 index 0000000000..741afe0dab --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Sysctls` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Sysctls` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/bad-pod.yaml new file mode 100644 index 0000000000..896911317f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/bad-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + securityContext: + sysctls: + - name: unknown + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml new file mode 100644 index 0000000000..501fcc88fc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-sysctls +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml new file mode 100644 index 0000000000..aa631e076a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + securityContext: + sysctls: + - name: fake.value + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/good-pod.yaml new file mode 100644 index 0000000000..3703127e00 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/good-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy-assert.yaml new file mode 100644 index 0000000000..323c615563 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-sysctls +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy.yaml new file mode 100644 index 0000000000..c33b74ee5f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-sysctls +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-sysctls + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Sysctls" + restrictedField: "spec.securityContext.sysctls[*].name" + values: + - "fake.value" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/README.md new file mode 100644 index 0000000000..436bf39a29 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Volume Types` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Volume Types` PSS check. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/bad-pod.yaml new file mode 100644 index 0000000000..97d666f55a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/bad-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod +spec: + volumes: + - name: flex + flexVolume: + driver: /var/lib2 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Localhost + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml new file mode 100644 index 0000000000..28e73aef95 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-volume-types +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml new file mode 100644 index 0000000000..f3082dd69f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod +spec: + volumes: + - name: flex + flexVolume: + driver: /var/lib1 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/good-pod.yaml new file mode 100644 index 0000000000..41d47058dd --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/good-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod +spec: + volumes: + - name: configmap + configMap: + name: configmap + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy-assert.yaml new file mode 100644 index 0000000000..f647243baa --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-volume-types +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy.yaml new file mode 100644 index 0000000000..6c30ac197f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-volume-types +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-volume-types + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Volume Types" + restrictedField: "spec.volumes[*].flexVolume" + values: + - "driver" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/README.md new file mode 100644 index 0000000000..c59ed5dd51 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Capabilities` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Capabilities` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/bad-pod.yaml new file mode 100644 index 0000000000..4c04991e7c --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/bad-pod.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - bar + - baz + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - baz diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml new file mode 100644 index 0000000000..f31c14a3bb --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-capabilities +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml new file mode 100644 index 0000000000..0515247211 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - baz diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/good-pod.yaml new file mode 100644 index 0000000000..6441d8da8e --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/good-pod.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - CHOWN + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + capabilities: + add: + - FOWNER diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy-assert.yaml new file mode 100644 index 0000000000..15c3374370 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-capabilities +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy.yaml new file mode 100644 index 0000000000..2f6900595f --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-capabilities +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-capabilities + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Capabilities" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.capabilities.add" + values: + - "foo" + - controlName: "Capabilities" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.capabilities.add" + values: + - "baz" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/README.md new file mode 100644 index 0000000000..e87d5374d4 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Host Namespaces` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Host Namespaces` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml new file mode 100644 index 0000000000..760e331699 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + hostPID: true + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml new file mode 100644 index 0000000000..6a05e375f1 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-host-namespaces +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml new file mode 100644 index 0000000000..8bbbde5351 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + hostNetwork: true + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml new file mode 100644 index 0000000000..3da6f315fb --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + hostNetwork: false + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml new file mode 100644 index 0000000000..5e3b676332 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-host-namespaces +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy.yaml new file mode 100644 index 0000000000..d4ab72b505 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-host-namespaces +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Host Namespaces" + restrictedField: "spec.hostNetwork" + values: + - "true" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/README.md new file mode 100644 index 0000000000..2d2caf46c7 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Host Ports` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Host Ports` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/bad-pod.yaml new file mode 100644 index 0000000000..879fd503fd --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/bad-pod.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 20 + containerPort: 80 + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 20 + containerPort: 80 diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml new file mode 100644 index 0000000000..31ffadacae --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-host-ports +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml new file mode 100644 index 0000000000..c35a7b6c70 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 10 + containerPort: 80 + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 20 + containerPort: 80 diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/good-pod.yaml new file mode 100644 index 0000000000..89e31240a6 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/good-pod.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 0 + containerPort: 80 + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + ports: + - hostPort: 0 + containerPort: 80 diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy-assert.yaml new file mode 100644 index 0000000000..a137213552 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-host-ports +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy.yaml new file mode 100644 index 0000000000..36f71a6a9b --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-host-ports +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-host-ports + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Host Ports" + images: + - nginx + restrictedField: "spec.containers[*].ports[*].hostPort" + values: + - "10" + - controlName: "Host Ports" + images: + - nginx + restrictedField: "spec.initContainers[*].ports[*].hostPort" + values: + - "20" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/README.md new file mode 100644 index 0000000000..15b6c2aee2 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `HostPath Volumes` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml new file mode 100644 index 0000000000..e52a274da5 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-hostpath-volume +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml new file mode 100644 index 0000000000..940666c6d6 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + volumes: + - name: host + hostPath: + path: /var/lib1 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml new file mode 100644 index 0000000000..f4dad266d6 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml new file mode 100644 index 0000000000..f9ae6dc5af --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-hostpath-volumes +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy.yaml new file mode 100644 index 0000000000..8756065eac --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-hostpath-volumes +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-hostpath-volumes + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "HostPath Volumes" + restrictedField: "spec.volumes[*].hostPath" + values: + - "path" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/README.md new file mode 100644 index 0000000000..683dd82937 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `HostProcesses` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `HostProcesses` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml new file mode 100644 index 0000000000..38cc7d061c --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: true + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: true diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml new file mode 100644 index 0000000000..60e01f882c --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-hostprocesses +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml new file mode 100644 index 0000000000..e8cac71d5b --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + hostNetwork: true + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: true + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: true diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml new file mode 100644 index 0000000000..c7ab1ddd15 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: false + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: false diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml new file mode 100644 index 0000000000..23cbe07db7 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-hostprocess +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy.yaml new file mode 100644 index 0000000000..646a92695a --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-hostprocess +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-hostprocess + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Host Namespaces" + restrictedField: "spec.hostNetwork" + values: + - "true" + - controlName: "HostProcess" + restrictedField: "spec.securityContext.windowsOptions.hostProcess" + values: + - "true" + - controlName: "HostProcess" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.windowsOptions.hostProcess" + values: + - "true" + - controlName: "HostProcess" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.windowsOptions.hostProcess" + values: + - "true" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/README.md new file mode 100644 index 0000000000..a07943a47c --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Privilege Escalation` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Privilege Escalation` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml new file mode 100644 index 0000000000..81f6cacc97 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml new file mode 100644 index 0000000000..4cc4f3b891 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-privilege-escalation +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml new file mode 100644 index 0000000000..704b940d71 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml new file mode 100644 index 0000000000..258f6471f2 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml new file mode 100644 index 0000000000..ca0fb3dde5 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-privilege-escalation +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy.yaml new file mode 100644 index 0000000000..795a9ad24d --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-privilege-escalation +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-privilege-escalation + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Privilege Escalation" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.allowPrivilegeEscalation" + values: + - "true" + - controlName: "Privilege Escalation" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.allowPrivilegeEscalation" + values: + - "true" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/README.md new file mode 100644 index 0000000000..797b269c72 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Privileged Containers` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml new file mode 100644 index 0000000000..9f98299f5b --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-privileged-containers +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml new file mode 100644 index 0000000000..9ad1d46816 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + privileged: true + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + privileged: true diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml new file mode 100644 index 0000000000..1edfd29c6b --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + privileged: false + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: false diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml new file mode 100644 index 0000000000..754f2b3064 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-privileged-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy.yaml new file mode 100644 index 0000000000..ee775897fc --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-privileged-containers +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-privileged-containers + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Privileged Containers" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.privileged" + values: + - "true" + - controlName: "Privileged Containers" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.privileged" + values: + - "true" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/README.md new file mode 100644 index 0000000000..59c07abdd1 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `/proc MountType` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `/proc MountType` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/bad-pod.yaml new file mode 100644 index 0000000000..6f20df94fc --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/bad-pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: unknown + initContainers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: other diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml new file mode 100644 index 0000000000..1dbb3c4cb1 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-procmount +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/excluded-pod.yaml new file mode 100644 index 0000000000..0dc7fe3cc8 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/excluded-pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: bar diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/good-pod.yaml new file mode 100644 index 0000000000..2367e6c3c4 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/good-pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: default + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + procMount: default diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy-assert.yaml new file mode 100644 index 0000000000..4f48e3a387 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-procmount +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy.yaml new file mode 100644 index 0000000000..37c460c781 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-procmount +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-procmount + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "/proc Mount Type" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.procMount" + values: + - "foo" + - controlName: "/proc Mount Type" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.procMount" + values: + - "bar" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/README.md new file mode 100644 index 0000000000..9a050435fb --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Capabilities` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Capabilities` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml new file mode 100644 index 0000000000..bb7edc0e5f --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - bar + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - baz diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml new file mode 100644 index 0000000000..3618ab3150 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-restricted-capabilities +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml new file mode 100644 index 0000000000..27c3194101 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - baz diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml new file mode 100644 index 0000000000..b39aa5c87b --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml new file mode 100644 index 0000000000..8e9265264a --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-restricted-capabilities +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml new file mode 100644 index 0000000000..766cba4e4a --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-restricted-capabilities +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-restricted-capabilities + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Capabilities" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.capabilities.add" + values: + - "foo" + - controlName: "Capabilities" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.capabilities.add" + values: + - "baz" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/README.md new file mode 100644 index 0000000000..dbc1666d30 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Seccomp` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Seccomp` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml new file mode 100644 index 0000000000..93d641e1fc --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + securityContext: + seccompProfile: + type: foo + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: baz + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Localhost + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml new file mode 100644 index 0000000000..cf7c618a8e --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-restricted-seccomp +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml new file mode 100644 index 0000000000..d99a52e4b4 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml new file mode 100644 index 0000000000..8eab1c40c1 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml new file mode 100644 index 0000000000..fa3c8d69b8 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-restricted-seccomp +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml new file mode 100644 index 0000000000..f13dd4c9a7 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-restricted-seccomp +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-restricted-seccomp + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Seccomp" + restrictedField: "spec.securityContext.seccompProfile.type" + values: + - "Unconfined" + - controlName: "Seccomp" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.seccompProfile.type" + values: + - "Unconfined" + - controlName: "Seccomp" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type" + values: + - "Unconfined" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/README.md new file mode 100644 index 0000000000..4d7c2a17bc --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Running as Non-root User` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Running as Non-root User` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml new file mode 100644 index 0000000000..df05759dc2 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml new file mode 100644 index 0000000000..c3d11ab7c3 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-running-as-nonroot-user +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml new file mode 100644 index 0000000000..4b9093f0e1 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 10 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml new file mode 100644 index 0000000000..52e3dd3b33 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml new file mode 100644 index 0000000000..7d7d2c13c1 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-running-as-non-root-user +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml new file mode 100644 index 0000000000..e5f15a04be --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-running-as-non-root-user +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-running-as-non-root-user + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Running as Non-root user" + restrictedField: "spec.securityContext.runAsUser" + values: + - "0" + - controlName: "Running as Non-root user" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.runAsUser" + values: + - "0" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/README.md new file mode 100644 index 0000000000..3ca78c89e0 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Running as Non-root` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Running as Non-root` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml new file mode 100644 index 0000000000..ea4d3fb9da --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml new file mode 100644 index 0000000000..1890ea875c --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-running-as-nonroot +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml new file mode 100644 index 0000000000..ea6e182be5 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml new file mode 100644 index 0000000000..258f6471f2 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml new file mode 100644 index 0000000000..df09dc96cc --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-running-as-non-root +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml new file mode 100644 index 0000000000..a52ba806b3 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-running-as-non-root +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-running-as-non-root + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Running as Non-root" + restrictedField: "spec.securityContext.runAsNonRoot" + values: + - "false" + - controlName: "Running as Non-root" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.runAsNonRoot" + values: + - "false" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/README.md new file mode 100644 index 0000000000..05d0308040 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Seccomp` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Seccomp` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/bad-pod.yaml new file mode 100644 index 0000000000..00bc10c39c --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/bad-pod.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + securityContext: + seccompProfile: + type: foo + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: baz + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Localhost diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml new file mode 100644 index 0000000000..1b2c1061e3 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-seccomp +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml new file mode 100644 index 0000000000..c44be0a5d9 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/good-pod.yaml new file mode 100644 index 0000000000..78d9e7d64e --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/good-pod.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy-assert.yaml new file mode 100644 index 0000000000..60894fe185 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-seccomp +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy.yaml new file mode 100644 index 0000000000..77a97aaa6f --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-seccomp +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-seccomp + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Seccomp" + restrictedField: "spec.securityContext.seccompProfile.type" + values: + - "Unconfined" + - controlName: "Seccomp" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.seccompProfile.type" + values: + - "Unconfined" + - controlName: "Seccomp" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type" + values: + - "Unconfined" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/README.md new file mode 100644 index 0000000000..a9f2af0d65 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `SELinux` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `SELinux` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/bad-pod.yaml new file mode 100644 index 0000000000..03c84e8fa0 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/bad-pod.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: bar + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: foo diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml new file mode 100644 index 0000000000..2136f8d365 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-selinux +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/excluded-pod.yaml new file mode 100644 index 0000000000..9ee7c56b57 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/excluded-pod.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: bar diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/good-pod.yaml new file mode 100644 index 0000000000..d62a7cd981 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/good-pod.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy-assert.yaml new file mode 100644 index 0000000000..9a05399776 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-selinux +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy.yaml new file mode 100644 index 0000000000..7402f47910 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-selinux +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-selinux + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "SELinux" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.seLinuxOptions.type" + values: + - "foo" + - controlName: "SELinux" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.seLinuxOptions.type" + values: + - "bar" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/README.md new file mode 100644 index 0000000000..741afe0dab --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Sysctls` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Sysctls` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/bad-pod.yaml new file mode 100644 index 0000000000..121cb49914 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/bad-pod.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + securityContext: + sysctls: + - name: unknown + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml new file mode 100644 index 0000000000..501fcc88fc --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-sysctls +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml new file mode 100644 index 0000000000..0d58f98577 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + securityContext: + sysctls: + - name: fake.value + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/good-pod.yaml new file mode 100644 index 0000000000..509a7c407b --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/good-pod.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy-assert.yaml new file mode 100644 index 0000000000..323c615563 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-sysctls +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy.yaml new file mode 100644 index 0000000000..c33b74ee5f --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-sysctls +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-sysctls + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "Sysctls" + restrictedField: "spec.securityContext.sysctls[*].name" + values: + - "fake.value" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/README.md new file mode 100644 index 0000000000..436bf39a29 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. + +## Expected Behavior + +Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Volume Types` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Volume Types` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/bad-pod.yaml new file mode 100644 index 0000000000..9a1e942bfb --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/bad-pod.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + volumes: + - name: flex + flexVolume: + driver: /var/lib2 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Localhost + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml new file mode 100644 index 0000000000..28e73aef95 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: test-exclusion-volume-types +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod.yaml + - apply: + file: excluded-pod.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml new file mode 100644 index 0000000000..b9296ba409 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: excluded-pod + namespace: default +spec: + volumes: + - name: flex + flexVolume: + driver: /var/lib1 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/good-pod.yaml new file mode 100644 index 0000000000..c2aab040a6 --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/good-pod.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default +spec: + volumes: + - name: configmap + configMap: + name: configmap + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy-assert.yaml new file mode 100644 index 0000000000..f647243baa --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-volume-types +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy.yaml new file mode 100644 index 0000000000..6c30ac197f --- /dev/null +++ b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-exclusion-volume-types +spec: + background: true + validationFailureAction: Enforce + rules: + - name: test-exclusion-volume-types + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + exclude: + - controlName: "Volume Types" + restrictedField: "spec.volumes[*].flexVolume" + values: + - "driver"