From 6a43ec4bcf5c3d5e3752d93f7683299143279e85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Tue, 19 Sep 2023 12:28:58 +0200 Subject: [PATCH] chore: fix policies (#8449) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- Makefile | 4 +- .../_testdata/tests/test-1/kyverno-test.yaml | 10 +- .../_testdata/tests/test-2/kyverno-test.yaml | 19 +-- .../commands/fix/policy/options.go | 21 ++++ cmd/cli/kubectl-kyverno/test/load_test.go | 117 ++++++++++-------- .../_aaa_template_resources/01-manifests.yaml | 22 ++-- .../scaffold/policy.yaml | 23 ++-- .../kuttl/deferred/foreach/manifests.yaml | 51 ++++---- .../exceptions/events-creation/policy.yaml | 32 ++--- .../policy-remove-egress.yaml | 46 +++---- .../policy.yaml | 46 +++---- .../01-policy.yaml | 37 +++--- .../04-modify-policy.yaml | 37 +++--- .../update-rule-preconditions.yaml | 42 ++++--- .../update-rule-preconditions.yaml | 52 ++++---- .../basic-check-output/01-manifests.yaml | 21 ++-- .../mutate-node-status/01-manifests.yaml | 22 ++-- .../02-policy.yaml | 46 +++---- .../admission-disabled/policy-mutate.yaml | 20 +-- .../schema-validation-crd/01-policy.yaml | 18 +-- .../admission-disabled/policy-mutate.yaml | 21 ++-- .../lazyload/conditions/01-manifests.yaml | 53 ++++---- .../validate/e2e/trusted-images/policy.yaml | 38 +++--- .../standard/empty-image/policy.yaml | 27 ++-- .../policy.yaml | 39 +++--- .../imageExtractors-complex/policy.yaml | 39 +++--- .../standard/imageExtractors-none/policy.yaml | 22 ++-- .../imageExtractors-simple/policy.yaml | 33 ++--- test/policy/deny/policy.yaml | 30 ++--- ...utate_pod_disable_automountingapicred.yaml | 21 ++-- ...olicy_mutate_pod_foreach_with_context.yaml | 48 +++---- test/policy/validate/check_cpu_memory.yaml | 43 ++++--- test/policy/validate/check_hostpath.yaml | 23 ++-- test/policy/validate/check_image_version.yaml | 23 ++-- .../check_memory_requests_same_yaml.yaml | 49 ++++---- ...ck_memory_requests_same_yaml_relative.yaml | 49 ++++---- .../check_node_for_cve_2022_0185.yaml | 35 +++--- test/policy/validate/check_nodeport.yaml | 21 ++-- test/policy/validate/check_not_root.yaml | 37 +++--- test/policy/validate/check_probe_exists.yaml | 46 ++++--- .../validate/check_probe_intervals.yaml | 48 +++---- test/policy/validate/check_registries.yaml | 26 ++-- 42 files changed, 820 insertions(+), 637 deletions(-) diff --git a/Makefile b/Makefile index 114e582db3..8da54bbcb4 100644 --- a/Makefile +++ b/Makefile @@ -547,12 +547,12 @@ codegen-docs-all: codegen-helm-docs codegen-cli-docs codegen-api-docs ## Genera .PHONY: codegen-fix-tests codegen-fix-tests: $(CLI_BIN) ## Fix CLI test files @echo Fix CLI test files... >&2 - @KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test ./test/cli --save --compress --force + @KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test . --save --compress --force .PHONY: codegen-fix-policies codegen-fix-policies: $(CLI_BIN) ## Fix CLI policy files @echo Fix CLI policy files... >&2 - @KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy ./test/cli/test --save + @KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy . --save .PHONY: codegen-cli-all codegen-cli-all: codegen-cli-crds codegen-cli-docs codegen-cli-api-docs codegen-fix-tests ## Generate all CLI related code and docs diff --git a/cmd/cli/kubectl-kyverno/_testdata/tests/test-1/kyverno-test.yaml b/cmd/cli/kubectl-kyverno/_testdata/tests/test-1/kyverno-test.yaml index 604d5ac871..d6f24ea5f6 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/tests/test-1/kyverno-test.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/tests/test-1/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: test-registry +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: test-registry policies: - image-example.yaml resources: @@ -8,11 +11,6 @@ results: policy: images resources: - test-pod-with-non-root-user-image - result: pass - rule: only-allow-trusted-images -- kind: Pod - policy: images - resources: - test-pod-with-trusted-registry result: pass rule: only-allow-trusted-images diff --git a/cmd/cli/kubectl-kyverno/_testdata/tests/test-2/kyverno-test.yaml b/cmd/cli/kubectl-kyverno/_testdata/tests/test-2/kyverno-test.yaml index 09dae29d82..ff39c9c387 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/tests/test-2/kyverno-test.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/tests/test-2/kyverno-test.yaml @@ -1,16 +1,12 @@ -name: add-quota +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-quota policies: - policy.yaml resources: - resource.yaml results: -- generatedResource: generatedResourceQuota.yaml - kind: Namespace - policy: add-ns-quota - resources: - - hello-world-namespace - result: pass - rule: generate-resourcequota - generatedResource: generatedLimitRange.yaml kind: Namespace policy: add-ns-quota @@ -18,3 +14,10 @@ results: - hello-world-namespace result: pass rule: generate-limitrange +- generatedResource: generatedResourceQuota.yaml + kind: Namespace + policy: add-ns-quota + resources: + - hello-world-namespace + result: pass + rule: generate-resourcequota diff --git a/cmd/cli/kubectl-kyverno/commands/fix/policy/options.go b/cmd/cli/kubectl-kyverno/commands/fix/policy/options.go index d3ad834ee9..f7ceed5bc5 100644 --- a/cmd/cli/kubectl-kyverno/commands/fix/policy/options.go +++ b/cmd/cli/kubectl-kyverno/commands/fix/policy/options.go @@ -107,6 +107,18 @@ func (o options) processFile(out io.Writer, path string) { rule := rule.(map[string]interface{}) unstructured.RemoveNestedField(rule, "exclude", "resources") unstructured.RemoveNestedField(rule, "match", "resources") + if any, ok, err := unstructured.NestedFieldNoCopy(rule, "match", "any"); ok && err == nil { + cleanResourceFilters(any.([]interface{})) + } + if all, ok, err := unstructured.NestedFieldNoCopy(rule, "match", "all"); ok && err == nil { + cleanResourceFilters(all.([]interface{})) + } + if any, ok, err := unstructured.NestedFieldNoCopy(rule, "exclude", "any"); ok && err == nil { + cleanResourceFilters(any.([]interface{})) + } + if all, ok, err := unstructured.NestedFieldNoCopy(rule, "exclude", "all"); ok && err == nil { + cleanResourceFilters(all.([]interface{})) + } if item, _, _ := unstructured.NestedMap(rule, "generate", "clone"); len(item) == 0 { unstructured.RemoveNestedField(rule, "generate", "clone") } @@ -165,3 +177,12 @@ func (o options) processFile(out io.Writer, path string) { fmt.Fprintln(out, " OK") } } + +func cleanResourceFilters(rf []interface{}) { + for _, f := range rf { + a := f.(map[string]interface{}) + if item, _, _ := unstructured.NestedMap(a, "resources"); len(item) == 0 { + unstructured.RemoveNestedField(a, "resources") + } + } +} diff --git a/cmd/cli/kubectl-kyverno/test/load_test.go b/cmd/cli/kubectl-kyverno/test/load_test.go index db21f58aef..26404d7a8f 100644 --- a/cmd/cli/kubectl-kyverno/test/load_test.go +++ b/cmd/cli/kubectl-kyverno/test/load_test.go @@ -10,6 +10,8 @@ import ( "github.com/go-git/go-billy/v5/memfs" policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1" + "gotest.tools/assert" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func TestLoadTests(t *testing.T) { @@ -47,7 +49,13 @@ func TestLoadTests(t *testing.T) { want: []TestCase{{ Path: "../_testdata/tests/test-1/kyverno-test.yaml", Test: &v1alpha1.Test{ - Name: "test-registry", + TypeMeta: metav1.TypeMeta{ + APIVersion: "cli.kyverno.io/v1alpha1", + Kind: "Test", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "test-registry", + }, Policies: []string{"image-example.yaml"}, Resources: []string{"resources.yaml"}, Results: []v1alpha1.TestResult{{ @@ -57,15 +65,10 @@ func TestLoadTests(t *testing.T) { Result: policyreportv1alpha2.StatusPass, Rule: "only-allow-trusted-images", }, - Resources: []string{"test-pod-with-non-root-user-image"}, - }, { - TestResultBase: v1alpha1.TestResultBase{ - Kind: "Pod", - Policy: "images", - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", + Resources: []string{ + "test-pod-with-non-root-user-image", + "test-pod-with-trusted-registry", }, - Resources: []string{"test-pod-with-trusted-registry"}, }}, }, }}, @@ -77,7 +80,13 @@ func TestLoadTests(t *testing.T) { want: []TestCase{{ Path: "../_testdata/tests/test-2/kyverno-test.yaml", Test: &v1alpha1.Test{ - Name: "add-quota", + TypeMeta: metav1.TypeMeta{ + APIVersion: "cli.kyverno.io/v1alpha1", + Kind: "Test", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "add-quota", + }, Policies: []string{"policy.yaml"}, Resources: []string{"resource.yaml"}, Results: []v1alpha1.TestResult{{ @@ -85,8 +94,8 @@ func TestLoadTests(t *testing.T) { Kind: "Namespace", Policy: "add-ns-quota", Result: policyreportv1alpha2.StatusPass, - Rule: "generate-resourcequota", - GeneratedResource: "generatedResourceQuota.yaml", + Rule: "generate-limitrange", + GeneratedResource: "generatedLimitRange.yaml", }, Resources: []string{"hello-world-namespace"}, }, { @@ -94,8 +103,8 @@ func TestLoadTests(t *testing.T) { Kind: "Namespace", Policy: "add-ns-quota", Result: policyreportv1alpha2.StatusPass, - Rule: "generate-limitrange", - GeneratedResource: "generatedLimitRange.yaml", + Rule: "generate-resourcequota", + GeneratedResource: "generatedResourceQuota.yaml", }, Resources: []string{"hello-world-namespace"}, }}, @@ -109,7 +118,13 @@ func TestLoadTests(t *testing.T) { want: []TestCase{{ Path: "../_testdata/tests/test-1/kyverno-test.yaml", Test: &v1alpha1.Test{ - Name: "test-registry", + TypeMeta: metav1.TypeMeta{ + APIVersion: "cli.kyverno.io/v1alpha1", + Kind: "Test", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "test-registry", + }, Policies: []string{"image-example.yaml"}, Resources: []string{"resources.yaml"}, Results: []v1alpha1.TestResult{{ @@ -119,21 +134,22 @@ func TestLoadTests(t *testing.T) { Result: policyreportv1alpha2.StatusPass, Rule: "only-allow-trusted-images", }, - Resources: []string{"test-pod-with-non-root-user-image"}, - }, { - TestResultBase: v1alpha1.TestResultBase{ - Kind: "Pod", - Policy: "images", - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", + Resources: []string{ + "test-pod-with-non-root-user-image", + "test-pod-with-trusted-registry", }, - Resources: []string{"test-pod-with-trusted-registry"}, }}, }, }, { Path: "../_testdata/tests/test-2/kyverno-test.yaml", Test: &v1alpha1.Test{ - Name: "add-quota", + TypeMeta: metav1.TypeMeta{ + APIVersion: "cli.kyverno.io/v1alpha1", + Kind: "Test", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "add-quota", + }, Policies: []string{"policy.yaml"}, Resources: []string{"resource.yaml"}, Results: []v1alpha1.TestResult{{ @@ -141,8 +157,8 @@ func TestLoadTests(t *testing.T) { Kind: "Namespace", Policy: "add-ns-quota", Result: policyreportv1alpha2.StatusPass, - Rule: "generate-resourcequota", - GeneratedResource: "generatedResourceQuota.yaml", + Rule: "generate-limitrange", + GeneratedResource: "generatedLimitRange.yaml", }, Resources: []string{"hello-world-namespace"}, }, { @@ -150,8 +166,8 @@ func TestLoadTests(t *testing.T) { Kind: "Namespace", Policy: "add-ns-quota", Result: policyreportv1alpha2.StatusPass, - Rule: "generate-limitrange", - GeneratedResource: "generatedLimitRange.yaml", + Rule: "generate-resourcequota", + GeneratedResource: "generatedResourceQuota.yaml", }, Resources: []string{"hello-world-namespace"}, }}, @@ -198,7 +214,13 @@ func TestLoadTest(t *testing.T) { want: TestCase{ Path: "../_testdata/tests/test-1/kyverno-test.yaml", Test: &v1alpha1.Test{ - Name: "test-registry", + TypeMeta: metav1.TypeMeta{ + APIVersion: "cli.kyverno.io/v1alpha1", + Kind: "Test", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "test-registry", + }, Policies: []string{"image-example.yaml"}, Resources: []string{"resources.yaml"}, Results: []v1alpha1.TestResult{{ @@ -208,15 +230,10 @@ func TestLoadTest(t *testing.T) { Result: policyreportv1alpha2.StatusPass, Rule: "only-allow-trusted-images", }, - Resources: []string{"test-pod-with-non-root-user-image"}, - }, { - TestResultBase: v1alpha1.TestResultBase{ - Kind: "Pod", - Policy: "images", - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", + Resources: []string{ + "test-pod-with-non-root-user-image", + "test-pod-with-trusted-registry", }, - Resources: []string{"test-pod-with-trusted-registry"}, }}, }, }, @@ -226,7 +243,13 @@ func TestLoadTest(t *testing.T) { want: TestCase{ Path: "kyverno-test.yaml", Test: &v1alpha1.Test{ - Name: "test-registry", + TypeMeta: metav1.TypeMeta{ + APIVersion: "cli.kyverno.io/v1alpha1", + Kind: "Test", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "test-registry", + }, Policies: []string{"image-example.yaml"}, Resources: []string{"resources.yaml"}, Results: []v1alpha1.TestResult{{ @@ -236,15 +259,10 @@ func TestLoadTest(t *testing.T) { Result: policyreportv1alpha2.StatusPass, Rule: "only-allow-trusted-images", }, - Resources: []string{"test-pod-with-non-root-user-image"}, - }, { - TestResultBase: v1alpha1.TestResultBase{ - Kind: "Pod", - Policy: "images", - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", + Resources: []string{ + "test-pod-with-non-root-user-image", + "test-pod-with-trusted-registry", }, - Resources: []string{"test-pod-with-trusted-registry"}, }}, }, }, @@ -288,10 +306,9 @@ func TestLoadTest(t *testing.T) { return } got.Err = nil - tt.want.Fs = tt.fs - if !reflect.DeepEqual(got, tt.want) { - t.Errorf("LoadTest() = %v, want %v", got, tt.want) - } + tt.want.Fs = nil + got.Fs = nil + assert.DeepEqual(t, tt.want, got) }) } } diff --git a/test/conformance/kuttl/_aaa_template_resources/01-manifests.yaml b/test/conformance/kuttl/_aaa_template_resources/01-manifests.yaml index f577d14177..5fdf48af86 100644 --- a/test/conformance/kuttl/_aaa_template_resources/01-manifests.yaml +++ b/test/conformance/kuttl/_aaa_template_resources/01-manifests.yaml @@ -1,20 +1,24 @@ -# A file with no reserved name "assert" or "errors" will be created with the below contents. Can be multiple YAML docs in the same file. +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-labels spec: + admission: true + background: true rules: - - name: add-labels - match: - resources: - kinds: - - Pod - - Service - - ConfigMap - - Secret + - match: + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret mutate: patchStrategicMerge: metadata: labels: foo: bar + name: add-labels + validationFailureAction: Audit diff --git a/test/conformance/kuttl/_aaa_template_resources/scaffold/policy.yaml b/test/conformance/kuttl/_aaa_template_resources/scaffold/policy.yaml index efcd7c18f9..5fdf48af86 100644 --- a/test/conformance/kuttl/_aaa_template_resources/scaffold/policy.yaml +++ b/test/conformance/kuttl/_aaa_template_resources/scaffold/policy.yaml @@ -1,19 +1,24 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-labels spec: + admission: true + background: true rules: - - name: add-labels - match: - resources: - kinds: - - Pod - - Service - - ConfigMap - - Secret + - match: + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret mutate: patchStrategicMerge: metadata: labels: - foo: bar \ No newline at end of file + foo: bar + name: add-labels + validationFailureAction: Audit diff --git a/test/conformance/kuttl/deferred/foreach/manifests.yaml b/test/conformance/kuttl/deferred/foreach/manifests.yaml index e4341905bc..f298d56d7c 100644 --- a/test/conformance/kuttl/deferred/foreach/manifests.yaml +++ b/test/conformance/kuttl/deferred/foreach/manifests.yaml @@ -1,13 +1,16 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: testcase-7fki3 spec: - schemaValidation: false + admission: true background: false - validationFailureAction: Enforce rules: - - name: mutate1 + - context: + - name: var1 + variable: + value: AAA match: all: - resources: @@ -15,31 +18,27 @@ spec: - v1/ConfigMap names: - testcase-7fki3-resource - context: - - name: var1 - variable: - value: AAA + mutate: + foreach: + - list: '[''dummy'']' + patchStrategicMerge: + data: + from_loop_1: '{{ var1 || ''!!!variable not resolved!!!'' }}' + - list: '[''dummy'']' + patchStrategicMerge: + data: + from_loop_2: '{{ var1 || ''!!!variable not resolved!!!'' }}' + - list: '[''dummy'']' + patchStrategicMerge: + data: + from_loop_3: '{{ var1 || ''!!!variable not resolved!!!'' }}' + name: mutate1 preconditions: all: - - key: "{{ request.operation }}" - operator: In + - key: '{{ request.operation }}' + operator: AllIn value: - CREATE - UPDATE - mutate: - foreach: - # first loop - - list: "['dummy']" - patchStrategicMerge: - data: - from_loop_1: "{{ var1 || '!!!variable not resolved!!!' }}" - # second loop - - list: "['dummy']" - patchStrategicMerge: - data: - from_loop_2: "{{ var1 || '!!!variable not resolved!!!' }}" - # third loop - - list: "['dummy']" - patchStrategicMerge: - data: - from_loop_3: "{{ var1 || '!!!variable not resolved!!!' }}" + schemaValidation: false + validationFailureAction: Enforce diff --git a/test/conformance/kuttl/exceptions/events-creation/policy.yaml b/test/conformance/kuttl/exceptions/events-creation/policy.yaml index 21066b6b35..bad86e81b3 100644 --- a/test/conformance/kuttl/exceptions/events-creation/policy.yaml +++ b/test/conformance/kuttl/exceptions/events-creation/policy.yaml @@ -1,29 +1,31 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-latest-tag-events-creation annotations: - policies.kyverno.io/title: Disallow Latest Tag policies.kyverno.io/category: Best Practices + policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead + to unexpected errors if the image changes. A best practice is to use an immutable + tag that maps to a specific version of an application Pod. This policy validates + that the image specifies a tag and that it is not called `latest`. ' policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - The ':latest' tag is mutable and can lead to unexpected errors if the - image changes. A best practice is to use an immutable tag that maps to - a specific version of an application Pod. This policy validates that the image - specifies a tag and that it is not called `latest`. + policies.kyverno.io/title: Disallow Latest Tag + name: disallow-latest-tag-events-creation spec: - validationFailureAction: Enforce + admission: true background: true rules: - - name: validate-image-tag - match: - resources: - kinds: - - Pod + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag validate: - message: "An image tag is required (:latest is not allowed)" + message: An image tag is required (:latest is not allowed) pattern: spec: containers: - - image: "!*:latest & *:*" \ No newline at end of file + - image: '!*:latest & *:*' + validationFailureAction: Enforce diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-remove-egress.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-remove-egress.yaml index 627ba273f2..968c1b7634 100644 --- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-remove-egress.yaml +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-remove-egress.yaml @@ -1,32 +1,36 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: cpol-data-sync-remove-list-element-cpol annotations: policies.kyverno.io/category: Workload Management - policies.kyverno.io/description: By default, Kubernetes allows communications across - all pods within a cluster. Network policies and, a CNI that supports network policies, - must be used to restrict communinications. A default NetworkPolicy should be configured - for each namespace to default deny all ingress traffic to the pods in the namespace. - Application teams can then configure additional NetworkPolicy resources to allow - desired traffic to application pods from select sources. + policies.kyverno.io/description: By default, Kubernetes allows communications + across all pods within a cluster. Network policies and, a CNI that supports + network policies, must be used to restrict communinications. A default NetworkPolicy + should be configured for each namespace to default deny all ingress traffic + to the pods in the namespace. Application teams can then configure additional + NetworkPolicy resources to allow desired traffic to application pods from select + sources. + name: cpol-data-sync-remove-list-element-cpol spec: - validationFailureAction: audit + admission: true + background: true rules: - - name: cpol-data-sync-remove-list-element-rule - match: - resources: - kinds: - - Namespace - generate: + - generate: apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - name: default-netpol - namespace: "{{request.object.metadata.name}}" - synchronize : true data: spec: - # select all pods in the namespace podSelector: {} - policyTypes: - - Ingress \ No newline at end of file + policyTypes: + - Ingress + kind: NetworkPolicy + name: default-netpol + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-remove-list-element-rule + validationFailureAction: Audit diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy.yaml index 6232d96db7..99b1ab97b1 100644 --- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy.yaml +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy.yaml @@ -1,33 +1,37 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: cpol-data-sync-remove-list-element-cpol annotations: policies.kyverno.io/category: Workload Management - policies.kyverno.io/description: By default, Kubernetes allows communications across - all pods within a cluster. Network policies and, a CNI that supports network policies, - must be used to restrict communinications. A default NetworkPolicy should be configured - for each namespace to default deny all ingress traffic to the pods in the namespace. - Application teams can then configure additional NetworkPolicy resources to allow - desired traffic to application pods from select sources. + policies.kyverno.io/description: By default, Kubernetes allows communications + across all pods within a cluster. Network policies and, a CNI that supports + network policies, must be used to restrict communinications. A default NetworkPolicy + should be configured for each namespace to default deny all ingress traffic + to the pods in the namespace. Application teams can then configure additional + NetworkPolicy resources to allow desired traffic to application pods from select + sources. + name: cpol-data-sync-remove-list-element-cpol spec: - validationFailureAction: audit + admission: true + background: true rules: - - name: cpol-data-sync-remove-list-element-rule - match: - resources: - kinds: - - Namespace - generate: + - generate: apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - name: default-netpol - namespace: "{{request.object.metadata.name}}" - synchronize : true data: spec: - # select all pods in the namespace podSelector: {} - policyTypes: + policyTypes: - Ingress - - Egress \ No newline at end of file + - Egress + kind: NetworkPolicy + name: default-netpol + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-remove-list-element-rule + validationFailureAction: Audit diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-policy.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-policy.yaml index 700ac477d9..5ce53b979a 100644 --- a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-policy.yaml +++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-policy.yaml @@ -1,26 +1,31 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: cpol-data-sync-modify-policy spec: + admission: true + background: true rules: - - name: cpol-data-sync-modify-rule - match: - resources: - kinds: - - Namespace - names: - - gemini-* - generate: + - generate: apiVersion: v1 - kind: ResourceQuota - name: default-resourcequota - synchronize: true - namespace: "{{request.object.metadata.name}}" data: spec: hard: - requests.cpu: '4' - requests.memory: '16Gi' - limits.cpu: '8' - limits.memory: '16Gi' \ No newline at end of file + limits.cpu: "8" + limits.memory: 16Gi + requests.cpu: "4" + requests.memory: 16Gi + kind: ResourceQuota + name: default-resourcequota + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + names: + - gemini-* + name: cpol-data-sync-modify-rule + validationFailureAction: Audit diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-modify-policy.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-modify-policy.yaml index 92fe4d3306..e8624a4927 100644 --- a/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-modify-policy.yaml +++ b/test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-modify-policy.yaml @@ -1,26 +1,31 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: cpol-data-sync-modify-policy spec: + admission: true + background: true rules: - - name: cpol-data-sync-modify-rule - match: - resources: - kinds: - - Namespace - names: - - gemini-* - generate: + - generate: apiVersion: v1 - kind: ResourceQuota - name: default-resourcequota - synchronize: true - namespace: "{{request.object.metadata.name}}" data: spec: hard: - requests.cpu: '4' - requests.memory: '16Gi' - limits.cpu: '9' - limits.memory: '16Gi' \ No newline at end of file + limits.cpu: "9" + limits.memory: 16Gi + requests.cpu: "4" + requests.memory: 16Gi + kind: ResourceQuota + name: default-resourcequota + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + names: + - gemini-* + name: cpol-data-sync-modify-rule + validationFailureAction: Audit diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml index d6d8359a97..548013e960 100644 --- a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml @@ -1,17 +1,13 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: generate-update-rule-spec spec: - generateExisting: false + admission: true + background: true rules: - - name: k-kafka-address - match: - any: - - resources: - kinds: - - Namespace - exclude: + - exclude: any: - resources: namespaces: @@ -19,21 +15,29 @@ spec: - default - kube-public - kyverno - preconditions: - - key: "{{request.operation}}" - operator: NotEquals - value: DELETE generate: - synchronize: true apiVersion: v1 - kind: ConfigMap - name: zk-kafka-address - namespace: default data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 kind: ConfigMap metadata: labels: somekey: somevalue - data: - ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" - KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + kind: ConfigMap + name: zk-kafka-address + namespace: default + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: k-kafka-address + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + validationFailureAction: Audit diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml index 5228cae97c..c8705c8edc 100644 --- a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml +++ b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml @@ -1,37 +1,41 @@ +--- apiVersion: kyverno.io/v1 kind: Policy metadata: name: generate-update-rule-spec namespace: default spec: - generateExisting: false + admission: true + background: true rules: - - name: k-kafka-address + - exclude: + any: + - resources: + kinds: + - NetworkPolicy + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: default + synchronize: true match: any: - resources: kinds: - Secret - exclude: - any: - - resources: - kinds: - - NetworkPolicy + name: k-kafka-address preconditions: - - key: "{{request.operation}}" - operator: NotEquals - value: DELETE - generate: - synchronize: true - apiVersion: v1 - kind: ConfigMap - name: zk-kafka-address - namespace: default - data: - kind: ConfigMap - metadata: - labels: - somekey: somevalue - data: - ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" - KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + validationFailureAction: Audit diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml index 970b4aa5c4..5fdf48af86 100644 --- a/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml @@ -1,19 +1,24 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-labels spec: + admission: true + background: true rules: - - name: add-labels - match: - resources: - kinds: - - Pod - - Service - - ConfigMap - - Secret + - match: + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret mutate: patchStrategicMerge: metadata: labels: foo: bar + name: add-labels + validationFailureAction: Audit diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/mutate-node-status/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/mutate-node-status/01-manifests.yaml index 3c858b373d..6863da19eb 100644 --- a/test/conformance/kuttl/mutate/clusterpolicy/standard/mutate-node-status/01-manifests.yaml +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/mutate-node-status/01-manifests.yaml @@ -1,17 +1,21 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: advertise-resource spec: + admission: true background: false rules: - - name: advertise-resource - match: - resources: + - match: + any: + - resources: kinds: - - Node/status - mutate: - patchesJson6902: |- - - op: add - path: "/status/capacity/example.com~1dongle" - value: "4" \ No newline at end of file + - Node/status + mutate: + patchesJson6902: |- + - op: add + path: "/status/capacity/example.com~1dongle" + value: "4" + name: advertise-resource + validationFailureAction: Audit diff --git a/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-context/02-policy.yaml b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-context/02-policy.yaml index 577c8f18cc..03561f6dcd 100644 --- a/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-context/02-policy.yaml +++ b/test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-context/02-policy.yaml @@ -1,32 +1,36 @@ -apiVersion : kyverno.io/v1 +--- +apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: foreach-patchstrategicmerge-context-policy spec: + admission: true background: false rules: - - name: resolve-image-containers - match: - resources: - kinds: - - Pod - preconditions: - all: - - key: "{{request.operation}}" - operator: In - value: - - CREATE - - UPDATE + - match: + any: + - resources: + kinds: + - Pod mutate: foreach: - - list: "request.object.spec.containers" - context: - - name: dictionary - configMap: - name: foreach-patchstrategicmerge-context-configmap - namespace: foreach-patchstrategicmerge-context-ns + - context: + - configMap: + name: foreach-patchstrategicmerge-context-configmap + namespace: foreach-patchstrategicmerge-context-ns + name: dictionary + list: request.object.spec.containers patchStrategicMerge: spec: containers: - - name: "{{ element.name }}" - image: "{{ dictionary.data.image }}" + - image: '{{ dictionary.data.image }}' + name: '{{ element.name }}' + name: resolve-image-containers + preconditions: + all: + - key: '{{request.operation}}' + operator: AllIn + value: + - CREATE + - UPDATE + validationFailureAction: Audit diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml index 2095b90f5a..c32a42c751 100644 --- a/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml +++ b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml @@ -1,22 +1,24 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: mutate spec: - validationFailureAction: Audit admission: false background: true rules: - - name: mutate - match: - resources: - kinds: - - Pod - - Service - - ConfigMap - - Secret + - match: + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret mutate: patchStrategicMerge: metadata: labels: foo: bar + name: mutate + validationFailureAction: Audit diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml index 82e282409a..3123129ddf 100644 --- a/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml +++ b/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml @@ -1,20 +1,20 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Security policies.kyverno.io/description: 'This policy mutates any namespace-scoped Custom - Resource Definition created by the subjects in the xteam Azure AD group - and adds the label "createdByXteam: true".' + Resource Definition created by the subjects in the xteam Azure AD group and + adds the label "createdByXteam: true".' policies.kyverno.io/subject: RBAC - policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad - group + policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad group policy.reporter.kyverno.io/minimal: minimal - generation: 1 labels: aws.cdk.eks/prune-c8b5941ff5f4fe911c5ee96472fda3d1f9866734a7: "" name: mutate-xteam-namespace-scoped-crds spec: + admission: true background: false rules: - match: @@ -22,9 +22,9 @@ spec: - resources: kinds: - CustomResourceDefinition - subjects: - - kind: Group - name: aad:9b9had99-6k66-2222-9999-8aadb888e888 + subjects: + - kind: Group + name: aad:9b9had99-6k66-2222-9999-8aadb888e888 mutate: patchStrategicMerge: metadata: @@ -39,4 +39,4 @@ spec: - key: '{{ request.object.spec.scope }}' operator: Equals value: Namespaced - validationFailureAction: audit \ No newline at end of file + validationFailureAction: Audit diff --git a/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-mutate.yaml b/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-mutate.yaml index b46ee4b2b8..d12a8e299b 100644 --- a/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-mutate.yaml +++ b/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-mutate.yaml @@ -1,22 +1,25 @@ +--- apiVersion: kyverno.io/v1 kind: Policy metadata: name: mutate + namespace: default spec: - validationFailureAction: Audit admission: false background: true rules: - - name: mutate - match: - resources: - kinds: - - Pod - - Service - - ConfigMap - - Secret + - match: + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret mutate: patchStrategicMerge: metadata: labels: foo: bar + name: mutate + validationFailureAction: Audit diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/01-manifests.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/01-manifests.yaml index 127f156cf2..507a7e11e2 100644 --- a/test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/01-manifests.yaml +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/01-manifests.yaml @@ -1,32 +1,35 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: preconditions spec: - validationFailureAction: Enforce + admission: true background: false rules: - - name: test - match: - any: - - resources: - kinds: - - Pod - context: - - name: nothere - apiCall: - urlPath: /api/v1/namespaces/missing/configmaps/nothere - preconditions: - any: - - key: "{{ request.name }}" - operator: Equals - value: test - message: this pod is not allowed - - key: "{{ nothere }}" - operator: Equals - value: hello - message: value mismatch - validate: - pattern: - metadata: - name: "*" + - context: + - apiCall: + method: GET + urlPath: /api/v1/namespaces/missing/configmaps/nothere + name: nothere + match: + any: + - resources: + kinds: + - Pod + name: test + preconditions: + any: + - key: '{{ request.name }}' + message: this pod is not allowed + operator: Equals + value: test + - key: '{{ nothere }}' + message: value mismatch + operator: Equals + value: hello + validate: + pattern: + metadata: + name: '*' + validationFailureAction: Enforce diff --git a/test/conformance/kuttl/validate/e2e/trusted-images/policy.yaml b/test/conformance/kuttl/validate/e2e/trusted-images/policy.yaml index 0486cf3ddf..6a424882df 100644 --- a/test/conformance/kuttl/validate/e2e/trusted-images/policy.yaml +++ b/test/conformance/kuttl/validate/e2e/trusted-images/policy.yaml @@ -1,35 +1,39 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-trustable-images spec: - validationFailureAction: Enforce + admission: true + background: true rules: - - name: only-allow-trusted-images - match: + - match: any: - resources: kinds: - Pod + name: only-allow-trusted-images preconditions: - - key: "{{request.operation}}" + all: + - key: '{{request.operation}}' operator: NotEquals value: DELETE validate: - message: "images with root user are not allowed" foreach: - - list: "request.object.spec.containers" - context: - - name: imageData - imageRegistry: - reference: "{{ element.image }}" - jmesPath: "{user: configData.config.User || '', registry: registry}" + - context: + - imageRegistry: + jmesPath: '{user: configData.config.User || '''', registry: registry}' + reference: '{{ element.image }}' + name: imageData deny: conditions: all: - - key: "{{ imageData.user }}" - operator: Equals - value: "" - - key: "{{ imageData.registry }}" - operator: NotEquals - value: "ghcr.io" + - key: '{{ imageData.user }}' + operator: Equals + value: "" + - key: '{{ imageData.registry }}' + operator: NotEquals + value: ghcr.io + list: request.object.spec.containers + message: images with root user are not allowed + validationFailureAction: Enforce diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml index dd5bac4498..1d64382014 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml @@ -1,32 +1,39 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: keyed-basic-policy spec: - validationFailureAction: enforce + admission: true background: false - webhookTimeoutSeconds: 30 failurePolicy: Fail rules: - - name: keyed-basic-rule - match: + - match: any: - resources: kinds: - Pod + name: keyed-basic-rule verifyImages: - - imageReferences: - - '*' - attestors: + - attestors: - entries: - keys: + ctlog: + ignoreSCT: true publicKeys: |- -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- rekor: - url: https://rekor.sigstore.dev ignoreTlog: true - ctlog: - ignoreSCT: true + url: https://rekor.sigstore.dev + signatureAlgorithm: sha256 + imageReferences: + - '*' + mutateDigest: true + required: true + useCache: true + verifyDigest: true + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml index 23e7891f99..b5e0e3fc41 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml @@ -1,35 +1,42 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: tasks-keyless spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 + admission: true + background: true rules: - - name: verify-images + - imageExtractors: + Task: + - path: /spec/steps/*/image match: any: - resources: kinds: - tekton.dev/v1beta1/Task + name: verify-images preconditions: - - key: "{{request.operation}}" - operator: NotEquals - value: DELETE - imageExtractors: - Task: - - path: /spec/steps/*/image + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE verifyImages: - - imageReferences: - - "ghcr.io/*" - attestors: + - attestors: - count: 1 entries: - keyless: - issuer: "https://token.actions.githubusercontent.com" - subject: "https://github.com/*" - rekor: - url: https://rekor.sigstore.dev ctlog: ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/* + imageReferences: + - ghcr.io/* + mutateDigest: true required: true + useCache: true + verifyDigest: true + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml index 83ea270108..a0d1272bb1 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml @@ -1,30 +1,35 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: tasks-complex spec: - validationFailureAction: Enforce + admission: true + background: true rules: - - name: verify-images + - imageExtractors: + Task: + - key: name + name: steps + path: /spec/steps/* + value: image match: any: - resources: kinds: - tekton.dev/v1beta1/Task + name: verify-images preconditions: - - key: "{{request.operation}}" - operator: NotEquals - value: DELETE - imageExtractors: - Task: - - path: /spec/steps/* - name: steps - value: image - key: name + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE verifyImages: - - image: "*" - key: |- - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM - 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== - -----END PUBLIC KEY----- + - image: '*' + key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END + PUBLIC KEY----- " + mutateDigest: true + required: true + useCache: true + verifyDigest: true + validationFailureAction: Enforce diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml index 51a9917f1c..b45ba79cb9 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml @@ -1,24 +1,32 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: tasks-no-extractor spec: - validationFailureAction: Enforce + admission: true + background: true rules: - - name: verify-images - match: + - match: any: - resources: kinds: - tekton.dev/v1beta1/Task + name: verify-images preconditions: - - key: "{{request.operation}}" - operator: NotEquals - value: DELETE + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE verifyImages: - - image: "*" + - image: '*' key: |- -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- + mutateDigest: true + required: true + useCache: true + verifyDigest: true + validationFailureAction: Enforce diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml index cd1f6dee54..2e89d77ee3 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml @@ -1,27 +1,32 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: tasks-simple spec: - validationFailureAction: Enforce + admission: true + background: true rules: - - name: verify-images + - imageExtractors: + Task: + - path: /spec/steps/*/image match: any: - resources: kinds: - tekton.dev/v1beta1/Task + name: verify-images preconditions: - - key: "{{request.operation}}" - operator: NotEquals - value: DELETE - imageExtractors: - Task: - - path: /spec/steps/*/image + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE verifyImages: - - image: "*" - key: |- - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM - 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== - -----END PUBLIC KEY----- + - image: '*' + key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END + PUBLIC KEY----- " + mutateDigest: true + required: true + useCache: true + verifyDigest: true + validationFailureAction: Enforce diff --git a/test/policy/deny/policy.yaml b/test/policy/deny/policy.yaml index e099c449f8..ad5edda86b 100644 --- a/test/policy/deny/policy.yaml +++ b/test/policy/deny/policy.yaml @@ -4,26 +4,28 @@ kind: ClusterPolicy metadata: name: path-canonicalize spec: - validationFailureAction: enforce + admission: true background: false rules: - - name: disallow-mount-containerd-sock - match: - resources: - kinds: - - Pod + - match: + any: + - resources: + kinds: + - Pod + name: disallow-mount-containerd-sock validate: foreach: - - list: "request.object.spec.volumes[]" - deny: + - deny: conditions: any: - - key: "{{ path_canonicalize(element.hostPath.path) }}" + - key: '{{ path_canonicalize(element.hostPath.path) }}' operator: Equals - value: "/var/run/containerd/containerd.sock" - - key: "{{ path_canonicalize(element.hostPath.path) }}" + value: /var/run/containerd/containerd.sock + - key: '{{ path_canonicalize(element.hostPath.path) }}' operator: Equals - value: "/run/containerd/containerd.sock" - - key: "{{ path_canonicalize(element.hostPath.path) }}" + value: /run/containerd/containerd.sock + - key: '{{ path_canonicalize(element.hostPath.path) }}' operator: Equals - value: "\\var\\run\\containerd\\containerd.sock" + value: \var\run\containerd\containerd.sock + list: request.object.spec.volumes[] + validationFailureAction: Enforce diff --git a/test/policy/mutate/policy_mutate_pod_disable_automountingapicred.yaml b/test/policy/mutate/policy_mutate_pod_disable_automountingapicred.yaml index c3af6ee570..47dd8c0806 100644 --- a/test/policy/mutate/policy_mutate_pod_disable_automountingapicred.yaml +++ b/test/policy/mutate/policy_mutate_pod_disable_automountingapicred.yaml @@ -1,16 +1,21 @@ -apiVersion : kyverno.io/v1 +--- +apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: mutate-pod-disable-automoutingapicred spec: + admission: true + background: true rules: - - name: pod-disable-automoutingapicred - match: - resources: - kinds: - - Pod + - match: + any: + - resources: + kinds: + - Pod mutate: patchStrategicMerge: spec: - (serviceAccountName): "*" - automountServiceAccountToken: false \ No newline at end of file + (serviceAccountName): '*' + automountServiceAccountToken: false + name: pod-disable-automoutingapicred + validationFailureAction: Audit diff --git a/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml b/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml index aa89330229..1f5b2018e3 100644 --- a/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml +++ b/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml @@ -1,34 +1,36 @@ -apiVersion : kyverno.io/v1 +--- +apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: resolve-image spec: + admission: true background: false rules: - - name: resolve-image-containers - match: - resources: - kinds: - - Pod - preconditions: - all: - - key: "{{request.operation}}" - operator: In - value: - - CREATE - - UPDATE + - match: + any: + - resources: + kinds: + - Pod mutate: foreach: - - list: "request.object.spec.containers" - context: - - name: dictionary - configMap: - # Name of the ConfigMap which will be looked up - name: some-config-map - # Namespace in which this ConfigMap is stored - namespace: some-namespace + - context: + - configMap: + name: some-config-map + namespace: some-namespace + name: dictionary + list: request.object.spec.containers patchStrategicMerge: spec: containers: - - name: "{{ element.name }}" - image: "{{ dictionary.data.image }}" + - image: '{{ dictionary.data.image }}' + name: '{{ element.name }}' + name: resolve-image-containers + preconditions: + all: + - key: '{{request.operation}}' + operator: AllIn + value: + - CREATE + - UPDATE + validationFailureAction: Audit diff --git a/test/policy/validate/check_cpu_memory.yaml b/test/policy/validate/check_cpu_memory.yaml index fb6e38238d..505665b9be 100644 --- a/test/policy/validate/check_cpu_memory.yaml +++ b/test/policy/validate/check_cpu_memory.yaml @@ -1,40 +1,45 @@ -apiVersion : kyverno.io/v1 +--- +apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-cpu-memory spec: + admission: true + background: true rules: - - name: check-defined - match: - resources: - kinds: - - Deployment + - match: + any: + - resources: + kinds: + - Deployment + name: check-defined validate: - message: "Resource limits are required for CPU and memory" + message: Resource limits are required for CPU and memory pattern: spec: template: spec: containers: - - name: "?*" + - name: ?* resources: limits: - memory: "?*" - cpu: "?*" - - - name: check-cpu - match: - resources: - kinds: - - Deployment + cpu: ?* + memory: ?* + - match: + any: + - resources: + kinds: + - Deployment + name: check-cpu validate: - message: "CPU request should be less than 4" + message: CPU request should be less than 4 pattern: spec: template: spec: containers: - - name: "*" + - name: '*' resources: requests: - cpu: "<4m" + cpu: <4m + validationFailureAction: Audit diff --git a/test/policy/validate/check_hostpath.yaml b/test/policy/validate/check_hostpath.yaml index 85ebf078e3..6974fe680e 100644 --- a/test/policy/validate/check_hostpath.yaml +++ b/test/policy/validate/check_hostpath.yaml @@ -1,19 +1,24 @@ -apiVersion : kyverno.io/v1 +--- +apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-host-path spec: + admission: true + background: true rules: - - name: check-host-path - match: - resources: - kinds: - - Pod + - match: + any: + - resources: + kinds: + - Pod + name: check-host-path validate: - message: "Host path is not allowed" + message: Host path is not allowed pattern: spec: volumes: - - name: "*" - hostPath: + - hostPath: path: "" + name: '*' + validationFailureAction: Audit diff --git a/test/policy/validate/check_image_version.yaml b/test/policy/validate/check_image_version.yaml index 3d8a865a32..827b697c4c 100644 --- a/test/policy/validate/check_image_version.yaml +++ b/test/policy/validate/check_image_version.yaml @@ -1,22 +1,25 @@ -apiVersion : kyverno.io/v1 +--- +apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: image-pull-policy spec: + admission: true + background: true rules: - - name: image-pull-policy - match: - resources: - kinds: - - Deployment + - match: + any: + - resources: + kinds: + - Deployment + name: image-pull-policy validate: - message: "Image tag ':latest' requires imagePullPolicy 'Always'" + message: Image tag ':latest' requires imagePullPolicy 'Always' pattern: spec: template: spec: containers: - # select images which end with :latest - - (image): "*latest" - # require that the imagePullPolicy is "Always" + - (image): '*latest' imagePullPolicy: Always + validationFailureAction: Audit diff --git a/test/policy/validate/check_memory_requests_same_yaml.yaml b/test/policy/validate/check_memory_requests_same_yaml.yaml index 732f83bc7c..015d1b9f53 100644 --- a/test/policy/validate/check_memory_requests_same_yaml.yaml +++ b/test/policy/validate/check_memory_requests_same_yaml.yaml @@ -1,26 +1,27 @@ -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : validation-example2 -spec : +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validation-example2 +spec: + admission: true + background: true rules: - - name: check-memory_requests_link_in_yaml - match: - resources: - # Kind specifies one or more resource types to match + - match: + any: + - resources: kinds: - - Deployment - # Name is optional and can use wildcards - name: "*" - # Selector is optional - selector: - validate: - pattern: - spec: - containers: - - name: "*" - resources: - requests: - memory: "$(<=/spec/containers/0/resources/limits/memory)" - limits: - memory: "2048Mi" + - Deployment + name: '*' + name: check-memory_requests_link_in_yaml + validate: + pattern: + spec: + containers: + - name: '*' + resources: + limits: + memory: 2048Mi + requests: + memory: $(<=/spec/containers/0/resources/limits/memory) + validationFailureAction: Audit diff --git a/test/policy/validate/check_memory_requests_same_yaml_relative.yaml b/test/policy/validate/check_memory_requests_same_yaml_relative.yaml index 6803c4b3e1..8ca875b36f 100644 --- a/test/policy/validate/check_memory_requests_same_yaml_relative.yaml +++ b/test/policy/validate/check_memory_requests_same_yaml_relative.yaml @@ -1,26 +1,27 @@ -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : validation-example2 -spec : +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validation-example2 +spec: + admission: true + background: true rules: - - name: check-memory_requests_link_in_yaml_relative - match: - resources: - # Kind specifies one or more resource types to match + - match: + any: + - resources: kinds: - - Deployment - # Name is optional and can use wildcards - name: "*" - # Selector is optional - selector: - validate: - pattern: - spec: - containers: - - (name): "*" - resources: - requests: - memory: "$(<=./../../lim(its/mem)ory)" - lim(its: - mem)ory: "2048Mi" + - Deployment + name: '*' + name: check-memory_requests_link_in_yaml_relative + validate: + pattern: + spec: + containers: + - (name): '*' + resources: + lim(its: + mem)ory: 2048Mi + requests: + memory: $(<=./../../lim(its/mem)ory) + validationFailureAction: Audit diff --git a/test/policy/validate/check_node_for_cve_2022_0185.yaml b/test/policy/validate/check_node_for_cve_2022_0185.yaml index ec8c74c222..5644a85a86 100644 --- a/test/policy/validate/check_node_for_cve_2022_0185.yaml +++ b/test/policy/validate/check_node_for_cve_2022_0185.yaml @@ -1,34 +1,35 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: check-kernel annotations: - policies.kyverno.io/title: Check Node for CVE-2022-0185 - policies.kyverno.io/category: Other - policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/subject: Node - policies.kyverno.io/description: >- - Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. - The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. - For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/category: Other + policies.kyverno.io/description: Linux CVE-2022-0185 can allow a container escape + in Kubernetes if left unpatched. The affected Linux kernel versions, at this + time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/severity: high + policies.kyverno.io/subject: Node + policies.kyverno.io/title: Check Node for CVE-2022-0185 + name: check-kernel spec: - validationFailureAction: audit + admission: true background: true rules: - - name: kernel-validate - match: + - match: any: - resources: kinds: - - Node + - Node + name: kernel-validate validate: - message: "Kernel is vulnerable to CVE-2022-0185." + message: Kernel is vulnerable to CVE-2022-0185. pattern: status: nodeInfo: - kernelVersion: "!5.10.84-1 & !5.15.5-2" + kernelVersion: '!5.10.84-1 & !5.15.5-2' + validationFailureAction: Audit diff --git a/test/policy/validate/check_nodeport.yaml b/test/policy/validate/check_nodeport.yaml index 38a180c5d7..6b4dff4c66 100644 --- a/test/policy/validate/check_nodeport.yaml +++ b/test/policy/validate/check_nodeport.yaml @@ -1,16 +1,21 @@ -apiVersion : kyverno.io/v1 +--- +apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-node-port spec: + admission: true + background: true rules: - - name: check-node-port - match: - resources: - kinds: - - Service + - match: + any: + - resources: + kinds: + - Service + name: check-node-port validate: - message: "NodePort type is not allowed" + message: NodePort type is not allowed pattern: spec: - type: "!NodePort" + type: '!NodePort' + validationFailureAction: Audit diff --git a/test/policy/validate/check_not_root.yaml b/test/policy/validate/check_not_root.yaml index ac57c781e1..af567dbe74 100644 --- a/test/policy/validate/check_not_root.yaml +++ b/test/policy/validate/check_not_root.yaml @@ -1,21 +1,26 @@ -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : check-non-root -spec : +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-non-root +spec: + admission: true + background: true rules: - - name: check-non-root - match: - resources: + - match: + any: + - resources: kinds: - Deployment - StatefuleSet - DaemonSet - validate: - message: "Root user is not allowed" - pattern: - spec: - template: - spec: - securityContext: - runAsNonRoot: true + name: check-non-root + validate: + message: Root user is not allowed + pattern: + spec: + template: + spec: + securityContext: + runAsNonRoot: true + validationFailureAction: Audit diff --git a/test/policy/validate/check_probe_exists.yaml b/test/policy/validate/check_probe_exists.yaml index c255595993..484c59b1f7 100644 --- a/test/policy/validate/check_probe_exists.yaml +++ b/test/policy/validate/check_probe_exists.yaml @@ -1,36 +1,42 @@ -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: name: check-probe-exists spec: + admission: true + background: true rules: - - name: check-liveness-probe-exists - match: - resources: - kinds : - - StatefulSet + - match: + any: + - resources: + kinds: + - StatefulSet + name: check-liveness-probe-exists validate: - message: "a livenessProbe is required" + message: a livenessProbe is required pattern: spec: template: spec: containers: - - name: "*" - livenessProbe: - periodSeconds: ">0" - - name: check-readiness-probe-exists - match: - resources: - kinds : - - StatefulSet + - livenessProbe: + periodSeconds: '>0' + name: '*' + - match: + any: + - resources: + kinds: + - StatefulSet + name: check-readiness-probe-exists validate: - message: "a readinessProbe is required" + message: a readinessProbe is required pattern: spec: template: spec: containers: - - name: "*" + - name: '*' readinessProbe: - periodSeconds: ">0" + periodSeconds: '>0' + validationFailureAction: Audit diff --git a/test/policy/validate/check_probe_intervals.yaml b/test/policy/validate/check_probe_intervals.yaml index 9b22c3f9ab..4a9f05348c 100644 --- a/test/policy/validate/check_probe_intervals.yaml +++ b/test/policy/validate/check_probe_intervals.yaml @@ -1,36 +1,42 @@ -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: name: check-probe-intervals spec: + admission: true + background: true rules: - - name: check-probe-intervals - match: - resources: - kinds : - - Deployment + - match: + any: + - resources: + kinds: + - Deployment + name: check-probe-intervals validate: - message: "livenessProbe must be > 10s" + message: livenessProbe must be > 10s pattern: spec: template: spec: containers: - - name: "*" - livenessProbe: - periodSeconds: ">10" - - name: check-probe-intervals - match: - resources: - kinds : - - Deployment + - livenessProbe: + periodSeconds: '>10' + name: '*' + - match: + any: + - resources: + kinds: + - Deployment + name: check-probe-intervals validate: - message: "readinessProbe must be > 10s" + message: readinessProbe must be > 10s pattern: spec: template: spec: containers: - - name: "*" - readinessProbe: - periodSeconds: ">10" + - name: '*' + readinessProbe: + periodSeconds: '>10' + validationFailureAction: Audit diff --git a/test/policy/validate/check_registries.yaml b/test/policy/validate/check_registries.yaml index c1e7c9e052..9fe01124cd 100644 --- a/test/policy/validate/check_registries.yaml +++ b/test/policy/validate/check_registries.yaml @@ -1,22 +1,26 @@ -apiVersion : kyverno.io/v1 +--- +apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-registries spec: + admission: true + background: true rules: - - name: check-registries - match: - resources: - kinds: - - Deployment - - StatefulSet + - match: + any: + - resources: + kinds: + - Deployment + - StatefulSet + name: check-registries validate: - message: "Registry is not allowed" + message: Registry is not allowed pattern: spec: template: spec: containers: - - name: "*" - # Check allowed registries - image: "*/nirmata/* | https://private.registry.io/*" + - image: '*/nirmata/* | https://private.registry.io/*' + name: '*' + validationFailureAction: Audit