mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

chore: fix policies (#8449)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-19 12:28:58 +02:00 committed by GitHub
parent f9c85f447d
commit 6a43ec4bcf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
42 changed files with 820 additions and 637 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Makefile
View file

@ -547,12 +547,12 @@ codegen-docs-all: codegen-helm-docs codegen-cli-docs codegen-api-docs ## Genera
.PHONY: codegen-fix-tests
codegen-fix-tests: $(CLI_BIN) ## Fix CLI test files
@echo Fix CLI test files... >&2
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test ./test/cli --save --compress --force
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test . --save --compress --force
.PHONY: codegen-fix-policies
codegen-fix-policies: $(CLI_BIN) ## Fix CLI policy files
@echo Fix CLI policy files... >&2
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy ./test/cli/test --save
@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy . --save
.PHONY: codegen-cli-all
codegen-cli-all: codegen-cli-crds codegen-cli-docs codegen-cli-api-docs codegen-fix-tests ## Generate all CLI related code and docs

10
cmd/cli/kubectl-kyverno/_testdata/tests/test-1/kyverno-test.yaml
View file

@ -1,4 +1,7 @@
name: test-registry
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: test-registry
policies:
- image-example.yaml
resources:
@ -8,11 +11,6 @@ results:
policy: images
resources:
- test-pod-with-non-root-user-image
result: pass
rule: only-allow-trusted-images
- kind: Pod
policy: images
resources:
- test-pod-with-trusted-registry
result: pass
rule: only-allow-trusted-images

19
cmd/cli/kubectl-kyverno/_testdata/tests/test-2/kyverno-test.yaml
View file

@ -1,16 +1,12 @@
name: add-quota
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: add-quota
policies:
- policy.yaml
resources:
- resource.yaml
results:
- generatedResource: generatedResourceQuota.yaml
kind: Namespace
policy: add-ns-quota
resources:
- hello-world-namespace
result: pass
rule: generate-resourcequota
- generatedResource: generatedLimitRange.yaml
kind: Namespace
policy: add-ns-quota
@ -18,3 +14,10 @@ results:
- hello-world-namespace
result: pass
rule: generate-limitrange
- generatedResource: generatedResourceQuota.yaml
kind: Namespace
policy: add-ns-quota
resources:
- hello-world-namespace
result: pass
rule: generate-resourcequota

21
cmd/cli/kubectl-kyverno/commands/fix/policy/options.go
View file

@ -107,6 +107,18 @@ func (o options) processFile(out io.Writer, path string) {
rule := rule.(map[string]interface{})
unstructured.RemoveNestedField(rule, "exclude", "resources")
unstructured.RemoveNestedField(rule, "match", "resources")
if any, ok, err := unstructured.NestedFieldNoCopy(rule, "match", "any"); ok && err == nil {
cleanResourceFilters(any.([]interface{}))
}
if all, ok, err := unstructured.NestedFieldNoCopy(rule, "match", "all"); ok && err == nil {
cleanResourceFilters(all.([]interface{}))
}
if any, ok, err := unstructured.NestedFieldNoCopy(rule, "exclude", "any"); ok && err == nil {
cleanResourceFilters(any.([]interface{}))
}
if all, ok, err := unstructured.NestedFieldNoCopy(rule, "exclude", "all"); ok && err == nil {
cleanResourceFilters(all.([]interface{}))
}
if item, _, _ := unstructured.NestedMap(rule, "generate", "clone"); len(item) == 0 {
unstructured.RemoveNestedField(rule, "generate", "clone")
}
@ -165,3 +177,12 @@ func (o options) processFile(out io.Writer, path string) {
fmt.Fprintln(out, " OK")
}
}
func cleanResourceFilters(rf []interface{}) {
for _, f := range rf {
a := f.(map[string]interface{})
if item, _, _ := unstructured.NestedMap(a, "resources"); len(item) == 0 {
unstructured.RemoveNestedField(a, "resources")
}
}
}

117
cmd/cli/kubectl-kyverno/test/load_test.go
View file

@ -10,6 +10,8 @@ import (
"github.com/go-git/go-billy/v5/memfs"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1"
"gotest.tools/assert"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func TestLoadTests(t *testing.T) {
@ -47,7 +49,13 @@ func TestLoadTests(t *testing.T) {
want: []TestCase{{
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
Test: &v1alpha1.Test{
Name: "test-registry",
TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "test-registry",
},
Policies: []string{"image-example.yaml"},
Resources: []string{"resources.yaml"},
Results: []v1alpha1.TestResult{{
@ -57,15 +65,10 @@ func TestLoadTests(t *testing.T) {
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
},
Resources: []string{"test-pod-with-non-root-user-image"},
}, {
TestResultBase: v1alpha1.TestResultBase{
Kind: "Pod",
Policy: "images",
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
Resources: []string{
"test-pod-with-non-root-user-image",
"test-pod-with-trusted-registry",
},
Resources: []string{"test-pod-with-trusted-registry"},
}},
},
}},
@ -77,7 +80,13 @@ func TestLoadTests(t *testing.T) {
want: []TestCase{{
Path: "../_testdata/tests/test-2/kyverno-test.yaml",
Test: &v1alpha1.Test{
Name: "add-quota",
TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "add-quota",
},
Policies: []string{"policy.yaml"},
Resources: []string{"resource.yaml"},
Results: []v1alpha1.TestResult{{
@ -85,8 +94,8 @@ func TestLoadTests(t *testing.T) {
Kind: "Namespace",
Policy: "add-ns-quota",
Result: policyreportv1alpha2.StatusPass,
Rule: "generate-resourcequota",
GeneratedResource: "generatedResourceQuota.yaml",
Rule: "generate-limitrange",
GeneratedResource: "generatedLimitRange.yaml",
},
Resources: []string{"hello-world-namespace"},
}, {
@ -94,8 +103,8 @@ func TestLoadTests(t *testing.T) {
Kind: "Namespace",
Policy: "add-ns-quota",
Result: policyreportv1alpha2.StatusPass,
Rule: "generate-limitrange",
GeneratedResource: "generatedLimitRange.yaml",
Rule: "generate-resourcequota",
GeneratedResource: "generatedResourceQuota.yaml",
},
Resources: []string{"hello-world-namespace"},
}},
@ -109,7 +118,13 @@ func TestLoadTests(t *testing.T) {
want: []TestCase{{
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
Test: &v1alpha1.Test{
Name: "test-registry",
TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "test-registry",
},
Policies: []string{"image-example.yaml"},
Resources: []string{"resources.yaml"},
Results: []v1alpha1.TestResult{{
@ -119,21 +134,22 @@ func TestLoadTests(t *testing.T) {
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
},
Resources: []string{"test-pod-with-non-root-user-image"},
}, {
TestResultBase: v1alpha1.TestResultBase{
Kind: "Pod",
Policy: "images",
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
Resources: []string{
"test-pod-with-non-root-user-image",
"test-pod-with-trusted-registry",
},
Resources: []string{"test-pod-with-trusted-registry"},
}},
},
}, {
Path: "../_testdata/tests/test-2/kyverno-test.yaml",
Test: &v1alpha1.Test{
Name: "add-quota",
TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "add-quota",
},
Policies: []string{"policy.yaml"},
Resources: []string{"resource.yaml"},
Results: []v1alpha1.TestResult{{
@ -141,8 +157,8 @@ func TestLoadTests(t *testing.T) {
Kind: "Namespace",
Policy: "add-ns-quota",
Result: policyreportv1alpha2.StatusPass,
Rule: "generate-resourcequota",
GeneratedResource: "generatedResourceQuota.yaml",
Rule: "generate-limitrange",
GeneratedResource: "generatedLimitRange.yaml",
},
Resources: []string{"hello-world-namespace"},
}, {
@ -150,8 +166,8 @@ func TestLoadTests(t *testing.T) {
Kind: "Namespace",
Policy: "add-ns-quota",
Result: policyreportv1alpha2.StatusPass,
Rule: "generate-limitrange",
GeneratedResource: "generatedLimitRange.yaml",
Rule: "generate-resourcequota",
GeneratedResource: "generatedResourceQuota.yaml",
},
Resources: []string{"hello-world-namespace"},
}},
@ -198,7 +214,13 @@ func TestLoadTest(t *testing.T) {
want: TestCase{
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
Test: &v1alpha1.Test{
Name: "test-registry",
TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "test-registry",
},
Policies: []string{"image-example.yaml"},
Resources: []string{"resources.yaml"},
Results: []v1alpha1.TestResult{{
@ -208,15 +230,10 @@ func TestLoadTest(t *testing.T) {
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
},
Resources: []string{"test-pod-with-non-root-user-image"},
}, {
TestResultBase: v1alpha1.TestResultBase{
Kind: "Pod",
Policy: "images",
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
Resources: []string{
"test-pod-with-non-root-user-image",
"test-pod-with-trusted-registry",
},
Resources: []string{"test-pod-with-trusted-registry"},
}},
},
},
@ -226,7 +243,13 @@ func TestLoadTest(t *testing.T) {
want: TestCase{
Path: "kyverno-test.yaml",
Test: &v1alpha1.Test{
Name: "test-registry",
TypeMeta: metav1.TypeMeta{
APIVersion: "cli.kyverno.io/v1alpha1",
Kind: "Test",
},
ObjectMeta: metav1.ObjectMeta{
Name: "test-registry",
},
Policies: []string{"image-example.yaml"},
Resources: []string{"resources.yaml"},
Results: []v1alpha1.TestResult{{
@ -236,15 +259,10 @@ func TestLoadTest(t *testing.T) {
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
},
Resources: []string{"test-pod-with-non-root-user-image"},
}, {
TestResultBase: v1alpha1.TestResultBase{
Kind: "Pod",
Policy: "images",
Result: policyreportv1alpha2.StatusPass,
Rule: "only-allow-trusted-images",
Resources: []string{
"test-pod-with-non-root-user-image",
"test-pod-with-trusted-registry",
},
Resources: []string{"test-pod-with-trusted-registry"},
}},
},
},
@ -288,10 +306,9 @@ func TestLoadTest(t *testing.T) {
return
}
got.Err = nil
tt.want.Fs = tt.fs
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("LoadTest() = %v, want %v", got, tt.want)
}
tt.want.Fs = nil
got.Fs = nil
assert.DeepEqual(t, tt.want, got)
})
}
}

22
test/conformance/kuttl/_aaa_template_resources/01-manifests.yaml
View file

@ -1,20 +1,24 @@
# A file with no reserved name "assert" or "errors" will be created with the below contents. Can be multiple YAML docs in the same file.
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-labels
spec:
admission: true
background: true
rules:
- name: add-labels
match:
resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
- match:
any:
- resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
mutate:
patchStrategicMerge:
metadata:
labels:
foo: bar
name: add-labels
validationFailureAction: Audit

21
test/conformance/kuttl/_aaa_template_resources/scaffold/policy.yaml
View file

@ -1,19 +1,24 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-labels
spec:
admission: true
background: true
rules:
- name: add-labels
match:
resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
- match:
any:
- resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
mutate:
patchStrategicMerge:
metadata:
labels:
foo: bar
name: add-labels
validationFailureAction: Audit

51
test/conformance/kuttl/deferred/foreach/manifests.yaml
View file

@ -1,13 +1,16 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: testcase-7fki3
spec:
schemaValidation: false
admission: true
background: false
validationFailureAction: Enforce
rules:
- name: mutate1
- context:
- name: var1
variable:
value: AAA
match:
all:
- resources:
@ -15,31 +18,27 @@ spec:
- v1/ConfigMap
names:
- testcase-7fki3-resource
context:
- name: var1
variable:
value: AAA
mutate:
foreach:
- list: '[''dummy'']'
patchStrategicMerge:
data:
from_loop_1: '{{ var1 || ''!!!variable not resolved!!!'' }}'
- list: '[''dummy'']'
patchStrategicMerge:
data:
from_loop_2: '{{ var1 || ''!!!variable not resolved!!!'' }}'
- list: '[''dummy'']'
patchStrategicMerge:
data:
from_loop_3: '{{ var1 || ''!!!variable not resolved!!!'' }}'
name: mutate1
preconditions:
all:
- key: "{{ request.operation }}"
operator: In
- key: '{{ request.operation }}'
operator: AllIn
value:
- CREATE
- UPDATE
mutate:
foreach:
# first loop
- list: "['dummy']"
patchStrategicMerge:
data:
from_loop_1: "{{ var1 || '!!!variable not resolved!!!' }}"
# second loop
- list: "['dummy']"
patchStrategicMerge:
data:
from_loop_2: "{{ var1 || '!!!variable not resolved!!!' }}"
# third loop
- list: "['dummy']"
patchStrategicMerge:
data:
from_loop_3: "{{ var1 || '!!!variable not resolved!!!' }}"
schemaValidation: false
validationFailureAction: Enforce

32
test/conformance/kuttl/exceptions/events-creation/policy.yaml
View file

@ -1,29 +1,31 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag-events-creation
annotations:
policies.kyverno.io/title: Disallow Latest Tag
policies.kyverno.io/category: Best Practices
policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead
to unexpected errors if the image changes. A best practice is to use an immutable
tag that maps to a specific version of an application Pod. This policy validates
that the image specifies a tag and that it is not called `latest`. '
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
The ':latest' tag is mutable and can lead to unexpected errors if the
image changes. A best practice is to use an immutable tag that maps to
a specific version of an application Pod. This policy validates that the image
specifies a tag and that it is not called `latest`.
policies.kyverno.io/title: Disallow Latest Tag
name: disallow-latest-tag-events-creation
spec:
validationFailureAction: Enforce
admission: true
background: true
rules:
- name: validate-image-tag
match:
resources:
kinds:
- Pod
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: "An image tag is required (:latest is not allowed)"
message: An image tag is required (:latest is not allowed)
pattern:
spec:
containers:
- image: "!*:latest & *:*"
- image: '!*:latest & *:*'
validationFailureAction: Enforce

42
test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-remove-egress.yaml
View file

@ -1,32 +1,36 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cpol-data-sync-remove-list-element-cpol
annotations:
policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: By default, Kubernetes allows communications across
all pods within a cluster. Network policies and, a CNI that supports network policies,
must be used to restrict communinications. A default NetworkPolicy should be configured
for each namespace to default deny all ingress traffic to the pods in the namespace.
Application teams can then configure additional NetworkPolicy resources to allow
desired traffic to application pods from select sources.
policies.kyverno.io/description: By default, Kubernetes allows communications
across all pods within a cluster. Network policies and, a CNI that supports
network policies, must be used to restrict communinications. A default NetworkPolicy
should be configured for each namespace to default deny all ingress traffic
to the pods in the namespace. Application teams can then configure additional
NetworkPolicy resources to allow desired traffic to application pods from select
sources.
name: cpol-data-sync-remove-list-element-cpol
spec:
validationFailureAction: audit
admission: true
background: true
rules:
- name: cpol-data-sync-remove-list-element-rule
match:
resources:
kinds:
- Namespace
generate:
- generate:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-netpol
namespace: "{{request.object.metadata.name}}"
synchronize : true
data:
spec:
# select all pods in the namespace
podSelector: {}
policyTypes:
- Ingress
kind: NetworkPolicy
name: default-netpol
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: cpol-data-sync-remove-list-element-rule
validationFailureAction: Audit

42
test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy.yaml
View file

@ -1,33 +1,37 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cpol-data-sync-remove-list-element-cpol
annotations:
policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: By default, Kubernetes allows communications across
all pods within a cluster. Network policies and, a CNI that supports network policies,
must be used to restrict communinications. A default NetworkPolicy should be configured
for each namespace to default deny all ingress traffic to the pods in the namespace.
Application teams can then configure additional NetworkPolicy resources to allow
desired traffic to application pods from select sources.
policies.kyverno.io/description: By default, Kubernetes allows communications
across all pods within a cluster. Network policies and, a CNI that supports
network policies, must be used to restrict communinications. A default NetworkPolicy
should be configured for each namespace to default deny all ingress traffic
to the pods in the namespace. Application teams can then configure additional
NetworkPolicy resources to allow desired traffic to application pods from select
sources.
name: cpol-data-sync-remove-list-element-cpol
spec:
validationFailureAction: audit
admission: true
background: true
rules:
- name: cpol-data-sync-remove-list-element-rule
match:
resources:
kinds:
- Namespace
generate:
- generate:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-netpol
namespace: "{{request.object.metadata.name}}"
synchronize : true
data:
spec:
# select all pods in the namespace
podSelector: {}
policyTypes:
- Ingress
- Egress
kind: NetworkPolicy
name: default-netpol
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: cpol-data-sync-remove-list-element-rule
validationFailureAction: Audit

37
test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-policy.yaml
View file

@ -1,26 +1,31 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cpol-data-sync-modify-policy
spec:
admission: true
background: true
rules:
- name: cpol-data-sync-modify-rule
match:
resources:
kinds:
- Namespace
names:
- gemini-*
generate:
- generate:
apiVersion: v1
kind: ResourceQuota
name: default-resourcequota
synchronize: true
namespace: "{{request.object.metadata.name}}"
data:
spec:
hard:
requests.cpu: '4'
requests.memory: '16Gi'
limits.cpu: '8'
limits.memory: '16Gi'
limits.cpu: "8"
limits.memory: 16Gi
requests.cpu: "4"
requests.memory: 16Gi
kind: ResourceQuota
name: default-resourcequota
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
names:
- gemini-*
name: cpol-data-sync-modify-rule
validationFailureAction: Audit

37
test/conformance/kuttl/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-modify-policy.yaml
View file

@ -1,26 +1,31 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cpol-data-sync-modify-policy
spec:
admission: true
background: true
rules:
- name: cpol-data-sync-modify-rule
match:
resources:
kinds:
- Namespace
names:
- gemini-*
generate:
- generate:
apiVersion: v1
kind: ResourceQuota
name: default-resourcequota
synchronize: true
namespace: "{{request.object.metadata.name}}"
data:
spec:
hard:
requests.cpu: '4'
requests.memory: '16Gi'
limits.cpu: '9'
limits.memory: '16Gi'
limits.cpu: "9"
limits.memory: 16Gi
requests.cpu: "4"
requests.memory: 16Gi
kind: ResourceQuota
name: default-resourcequota
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
names:
- gemini-*
name: cpol-data-sync-modify-rule
validationFailureAction: Audit

42
test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml
View file

@ -1,17 +1,13 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-update-rule-spec
spec:
generateExisting: false
admission: true
background: true
rules:
- name: k-kafka-address
match:
any:
- resources:
kinds:
- Namespace
exclude:
- exclude:
any:
- resources:
namespaces:
@ -19,21 +15,29 @@ spec:
- default
- kube-public
- kyverno
preconditions:
- key: "{{request.operation}}"
operator: NotEquals
value: DELETE
generate:
synchronize: true
apiVersion: v1
kind: ConfigMap
name: zk-kafka-address
namespace: default
data:
data:
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
kind: ConfigMap
metadata:
labels:
somekey: somevalue
data:
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
kind: ConfigMap
name: zk-kafka-address
namespace: default
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: k-kafka-address
preconditions:
all:
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
validationFailureAction: Audit

52
test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml
View file

@ -1,37 +1,41 @@
---
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: generate-update-rule-spec
namespace: default
spec:
generateExisting: false
admission: true
background: true
rules:
- name: k-kafka-address
- exclude:
any:
- resources:
kinds:
- NetworkPolicy
generate:
apiVersion: v1
data:
data:
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
kind: ConfigMap
metadata:
labels:
somekey: somevalue
kind: ConfigMap
name: zk-kafka-address
namespace: default
synchronize: true
match:
any:
- resources:
kinds:
- Secret
exclude:
any:
- resources:
kinds:
- NetworkPolicy
name: k-kafka-address
preconditions:
- key: "{{request.operation}}"
operator: NotEquals
value: DELETE
generate:
synchronize: true
apiVersion: v1
kind: ConfigMap
name: zk-kafka-address
namespace: default
data:
kind: ConfigMap
metadata:
labels:
somekey: somevalue
data:
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
all:
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
validationFailureAction: Audit

21
test/conformance/kuttl/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml
View file

@ -1,19 +1,24 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-labels
spec:
admission: true
background: true
rules:
- name: add-labels
match:
resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
- match:
any:
- resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
mutate:
patchStrategicMerge:
metadata:
labels:
foo: bar
name: add-labels
validationFailureAction: Audit

22
test/conformance/kuttl/mutate/clusterpolicy/standard/mutate-node-status/01-manifests.yaml
View file

@ -1,17 +1,21 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: advertise-resource
spec:
admission: true
background: false
rules:
- name: advertise-resource
match:
resources:
- match:
any:
- resources:
kinds:
- Node/status
mutate:
patchesJson6902: |-
- op: add
path: "/status/capacity/example.com~1dongle"
value: "4"
- Node/status
mutate:
patchesJson6902: |-
- op: add
path: "/status/capacity/example.com~1dongle"
value: "4"
name: advertise-resource
validationFailureAction: Audit

46
test/conformance/kuttl/mutate/e2e/foreach-patchStrategicMerge-context/02-policy.yaml
View file

@ -1,32 +1,36 @@
apiVersion : kyverno.io/v1
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: foreach-patchstrategicmerge-context-policy
spec:
admission: true
background: false
rules:
- name: resolve-image-containers
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.operation}}"
operator: In
value:
- CREATE
- UPDATE
- match:
any:
- resources:
kinds:
- Pod
mutate:
foreach:
- list: "request.object.spec.containers"
context:
- name: dictionary
configMap:
name: foreach-patchstrategicmerge-context-configmap
namespace: foreach-patchstrategicmerge-context-ns
- context:
- configMap:
name: foreach-patchstrategicmerge-context-configmap
namespace: foreach-patchstrategicmerge-context-ns
name: dictionary
list: request.object.spec.containers
patchStrategicMerge:
spec:
containers:
- name: "{{ element.name }}"
image: "{{ dictionary.data.image }}"
- image: '{{ dictionary.data.image }}'
name: '{{ element.name }}'
name: resolve-image-containers
preconditions:
all:
- key: '{{request.operation}}'
operator: AllIn
value:
- CREATE
- UPDATE
validationFailureAction: Audit

20
test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml
View file

@ -1,22 +1,24 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate
spec:
validationFailureAction: Audit
admission: false
background: true
rules:
- name: mutate
match:
resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
- match:
any:
- resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
mutate:
patchStrategicMerge:
metadata:
labels:
foo: bar
name: mutate
validationFailureAction: Audit

18
test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml
View file

@ -1,20 +1,20 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: 'This policy mutates any namespace-scoped Custom
Resource Definition created by the subjects in the xteam Azure AD group
and adds the label "createdByXteam: true".'
Resource Definition created by the subjects in the xteam Azure AD group and
adds the label "createdByXteam: true".'
policies.kyverno.io/subject: RBAC
policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad
group
policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad group
policy.reporter.kyverno.io/minimal: minimal
generation: 1
labels:
aws.cdk.eks/prune-c8b5941ff5f4fe911c5ee96472fda3d1f9866734a7: ""
name: mutate-xteam-namespace-scoped-crds
spec:
admission: true
background: false
rules:
- match:
@ -22,9 +22,9 @@ spec:
- resources:
kinds:
- CustomResourceDefinition
subjects:
- kind: Group
name: aad:9b9had99-6k66-2222-9999-8aadb888e888
subjects:
- kind: Group
name: aad:9b9had99-6k66-2222-9999-8aadb888e888
mutate:
patchStrategicMerge:
metadata:
@ -39,4 +39,4 @@ spec:
- key: '{{ request.object.spec.scope }}'
operator: Equals
value: Namespaced
validationFailureAction: audit
validationFailureAction: Audit

21
test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-mutate.yaml
View file

@ -1,22 +1,25 @@
---
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: mutate
namespace: default
spec:
validationFailureAction: Audit
admission: false
background: true
rules:
- name: mutate
match:
resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
- match:
any:
- resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
mutate:
patchStrategicMerge:
metadata:
labels:
foo: bar
name: mutate
validationFailureAction: Audit

53
test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/01-manifests.yaml
View file

@ -1,32 +1,35 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: preconditions
spec:
validationFailureAction: Enforce
admission: true
background: false
rules:
- name: test
match:
any:
- resources:
kinds:
- Pod
context:
- name: nothere
apiCall:
urlPath: /api/v1/namespaces/missing/configmaps/nothere
preconditions:
any:
- key: "{{ request.name }}"
operator: Equals
value: test
message: this pod is not allowed
- key: "{{ nothere }}"
operator: Equals
value: hello
message: value mismatch
validate:
pattern:
metadata:
name: "*"
- context:
- apiCall:
method: GET
urlPath: /api/v1/namespaces/missing/configmaps/nothere
name: nothere
match:
any:
- resources:
kinds:
- Pod
name: test
preconditions:
any:
- key: '{{ request.name }}'
message: this pod is not allowed
operator: Equals
value: test
- key: '{{ nothere }}'
message: value mismatch
operator: Equals
value: hello
validate:
pattern:
metadata:
name: '*'
validationFailureAction: Enforce

38
test/conformance/kuttl/validate/e2e/trusted-images/policy.yaml
View file

@ -1,35 +1,39 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-trustable-images
spec:
validationFailureAction: Enforce
admission: true
background: true
rules:
- name: only-allow-trusted-images
match:
- match:
any:
- resources:
kinds:
- Pod
name: only-allow-trusted-images
preconditions:
- key: "{{request.operation}}"
all:
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
validate:
message: "images with root user are not allowed"
foreach:
- list: "request.object.spec.containers"
context:
- name: imageData
imageRegistry:
reference: "{{ element.image }}"
jmesPath: "{user: configData.config.User || '', registry: registry}"
- context:
- imageRegistry:
jmesPath: '{user: configData.config.User || '''', registry: registry}'
reference: '{{ element.image }}'
name: imageData
deny:
conditions:
all:
- key: "{{ imageData.user }}"
operator: Equals
value: ""
- key: "{{ imageData.registry }}"
operator: NotEquals
value: "ghcr.io"
- key: '{{ imageData.user }}'
operator: Equals
value: ""
- key: '{{ imageData.registry }}'
operator: NotEquals
value: ghcr.io
list: request.object.spec.containers
message: images with root user are not allowed
validationFailureAction: Enforce

27
test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml
View file

@ -1,32 +1,39 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: keyed-basic-policy
spec:
validationFailureAction: enforce
admission: true
background: false
webhookTimeoutSeconds: 30
failurePolicy: Fail
rules:
- name: keyed-basic-rule
match:
- match:
any:
- resources:
kinds:
- Pod
name: keyed-basic-rule
verifyImages:
- imageReferences:
- '*'
attestors:
- attestors:
- entries:
- keys:
ctlog:
ignoreSCT: true
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----
rekor:
url: https://rekor.sigstore.dev
ignoreTlog: true
ctlog:
ignoreSCT: true
url: https://rekor.sigstore.dev
signatureAlgorithm: sha256
imageReferences:
- '*'
mutateDigest: true
required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce
webhookTimeoutSeconds: 30

39
test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml
View file

@ -1,35 +1,42 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: tasks-keyless
spec:
validationFailureAction: Enforce
webhookTimeoutSeconds: 30
admission: true
background: true
rules:
- name: verify-images
- imageExtractors:
Task:
- path: /spec/steps/*/image
match:
any:
- resources:
kinds:
- tekton.dev/v1beta1/Task
name: verify-images
preconditions:
- key: "{{request.operation}}"
operator: NotEquals
value: DELETE
imageExtractors:
Task:
- path: /spec/steps/*/image
all:
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
verifyImages:
- imageReferences:
- "ghcr.io/*"
attestors:
- attestors:
- count: 1
entries:
- keyless:
issuer: "https://token.actions.githubusercontent.com"
subject: "https://github.com/*"
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true
issuer: https://token.actions.githubusercontent.com
rekor:
url: https://rekor.sigstore.dev
subject: https://github.com/*
imageReferences:
- ghcr.io/*
mutateDigest: true
required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce
webhookTimeoutSeconds: 30

39
test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml
View file

@ -1,30 +1,35 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: tasks-complex
spec:
validationFailureAction: Enforce
admission: true
background: true
rules:
- name: verify-images
- imageExtractors:
Task:
- key: name
name: steps
path: /spec/steps/*
value: image
match:
any:
- resources:
kinds:
- tekton.dev/v1beta1/Task
name: verify-images
preconditions:
- key: "{{request.operation}}"
operator: NotEquals
value: DELETE
imageExtractors:
Task:
- path: /spec/steps/*
name: steps
value: image
key: name
all:
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
verifyImages:
- image: "*"
key: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----
- image: '*'
key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END
PUBLIC KEY----- "
mutateDigest: true
required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce

22
test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml
View file

@ -1,24 +1,32 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: tasks-no-extractor
spec:
validationFailureAction: Enforce
admission: true
background: true
rules:
- name: verify-images
match:
- match:
any:
- resources:
kinds:
- tekton.dev/v1beta1/Task
name: verify-images
preconditions:
- key: "{{request.operation}}"
operator: NotEquals
value: DELETE
all:
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
verifyImages:
- image: "*"
- image: '*'
key: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----
mutateDigest: true
required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce

33
test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml
View file

@ -1,27 +1,32 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: tasks-simple
spec:
validationFailureAction: Enforce
admission: true
background: true
rules:
- name: verify-images
- imageExtractors:
Task:
- path: /spec/steps/*/image
match:
any:
- resources:
kinds:
- tekton.dev/v1beta1/Task
name: verify-images
preconditions:
- key: "{{request.operation}}"
operator: NotEquals
value: DELETE
imageExtractors:
Task:
- path: /spec/steps/*/image
all:
- key: '{{request.operation}}'
operator: NotEquals
value: DELETE
verifyImages:
- image: "*"
key: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----
- image: '*'
key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END
PUBLIC KEY----- "
mutateDigest: true
required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce

30
test/policy/deny/policy.yaml
View file

@ -4,26 +4,28 @@ kind: ClusterPolicy
metadata:
name: path-canonicalize
spec:
validationFailureAction: enforce
admission: true
background: false
rules:
- name: disallow-mount-containerd-sock
match:
resources:
kinds:
- Pod
- match:
any:
- resources:
kinds:
- Pod
name: disallow-mount-containerd-sock
validate:
foreach:
- list: "request.object.spec.volumes[]"
deny:
- deny:
conditions:
any:
- key: "{{ path_canonicalize(element.hostPath.path) }}"
- key: '{{ path_canonicalize(element.hostPath.path) }}'
operator: Equals
value: "/var/run/containerd/containerd.sock"
- key: "{{ path_canonicalize(element.hostPath.path) }}"
value: /var/run/containerd/containerd.sock
- key: '{{ path_canonicalize(element.hostPath.path) }}'
operator: Equals
value: "/run/containerd/containerd.sock"
- key: "{{ path_canonicalize(element.hostPath.path) }}"
value: /run/containerd/containerd.sock
- key: '{{ path_canonicalize(element.hostPath.path) }}'
operator: Equals
value: "\\var\\run\\containerd\\containerd.sock"
value: \var\run\containerd\containerd.sock
list: request.object.spec.volumes[]
validationFailureAction: Enforce

19
test/policy/mutate/policy_mutate_pod_disable_automountingapicred.yaml
View file

@ -1,16 +1,21 @@
apiVersion : kyverno.io/v1
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-pod-disable-automoutingapicred
spec:
admission: true
background: true
rules:
- name: pod-disable-automoutingapicred
match:
resources:
kinds:
- Pod
- match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
(serviceAccountName): "*"
(serviceAccountName): '*'
automountServiceAccountToken: false
name: pod-disable-automoutingapicred
validationFailureAction: Audit

48
test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml
View file

@ -1,34 +1,36 @@
apiVersion : kyverno.io/v1
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: resolve-image
spec:
admission: true
background: false
rules:
- name: resolve-image-containers
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.operation}}"
operator: In
value:
- CREATE
- UPDATE
- match:
any:
- resources:
kinds:
- Pod
mutate:
foreach:
- list: "request.object.spec.containers"
context:
- name: dictionary
configMap:
# Name of the ConfigMap which will be looked up
name: some-config-map
# Namespace in which this ConfigMap is stored
namespace: some-namespace
- context:
- configMap:
name: some-config-map
namespace: some-namespace
name: dictionary
list: request.object.spec.containers
patchStrategicMerge:
spec:
containers:
- name: "{{ element.name }}"
image: "{{ dictionary.data.image }}"
- image: '{{ dictionary.data.image }}'
name: '{{ element.name }}'
name: resolve-image-containers
preconditions:
all:
- key: '{{request.operation}}'
operator: AllIn
value:
- CREATE
- UPDATE
validationFailureAction: Audit

43
test/policy/validate/check_cpu_memory.yaml
View file

@ -1,40 +1,45 @@
apiVersion : kyverno.io/v1
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-cpu-memory
spec:
admission: true
background: true
rules:
- name: check-defined
match:
resources:
kinds:
- Deployment
- match:
any:
- resources:
kinds:
- Deployment
name: check-defined
validate:
message: "Resource limits are required for CPU and memory"
message: Resource limits are required for CPU and memory
pattern:
spec:
template:
spec:
containers:
- name: "?*"
- name: ?*
resources:
limits:
memory: "?*"
cpu: "?*"
- name: check-cpu
match:
resources:
kinds:
- Deployment
cpu: ?*
memory: ?*
- match:
any:
- resources:
kinds:
- Deployment
name: check-cpu
validate:
message: "CPU request should be less than 4"
message: CPU request should be less than 4
pattern:
spec:
template:
spec:
containers:
- name: "*"
- name: '*'
resources:
requests:
cpu: "<4m"
cpu: <4m
validationFailureAction: Audit

23
test/policy/validate/check_hostpath.yaml
View file

@ -1,19 +1,24 @@
apiVersion : kyverno.io/v1
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-host-path
spec:
admission: true
background: true
rules:
- name: check-host-path
match:
resources:
kinds:
- Pod
- match:
any:
- resources:
kinds:
- Pod
name: check-host-path
validate:
message: "Host path is not allowed"
message: Host path is not allowed
pattern:
spec:
volumes:
- name: "*"
hostPath:
- hostPath:
path: ""
name: '*'
validationFailureAction: Audit

23
test/policy/validate/check_image_version.yaml
View file

@ -1,22 +1,25 @@
apiVersion : kyverno.io/v1
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: image-pull-policy
spec:
admission: true
background: true
rules:
- name: image-pull-policy
match:
resources:
kinds:
- Deployment
- match:
any:
- resources:
kinds:
- Deployment
name: image-pull-policy
validate:
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
message: Image tag ':latest' requires imagePullPolicy 'Always'
pattern:
spec:
template:
spec:
containers:
# select images which end with :latest
- (image): "*latest"
# require that the imagePullPolicy is "Always"
- (image): '*latest'
imagePullPolicy: Always
validationFailureAction: Audit

49
test/policy/validate/check_memory_requests_same_yaml.yaml
View file

@ -1,26 +1,27 @@
apiVersion : kyverno.io/v1
kind : ClusterPolicy
metadata :
name : validation-example2
spec :
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: validation-example2
spec:
admission: true
background: true
rules:
- name: check-memory_requests_link_in_yaml
match:
resources:
# Kind specifies one or more resource types to match
- match:
any:
- resources:
kinds:
- Deployment
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
validate:
pattern:
spec:
containers:
- name: "*"
resources:
requests:
memory: "$(<=/spec/containers/0/resources/limits/memory)"
limits:
memory: "2048Mi"
- Deployment
name: '*'
name: check-memory_requests_link_in_yaml
validate:
pattern:
spec:
containers:
- name: '*'
resources:
limits:
memory: 2048Mi
requests:
memory: $(<=/spec/containers/0/resources/limits/memory)
validationFailureAction: Audit

49
test/policy/validate/check_memory_requests_same_yaml_relative.yaml
View file

@ -1,26 +1,27 @@
apiVersion : kyverno.io/v1
kind : ClusterPolicy
metadata :
name : validation-example2
spec :
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: validation-example2
spec:
admission: true
background: true
rules:
- name: check-memory_requests_link_in_yaml_relative
match:
resources:
# Kind specifies one or more resource types to match
- match:
any:
- resources:
kinds:
- Deployment
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
validate:
pattern:
spec:
containers:
- (name): "*"
resources:
requests:
memory: "$(<=./../../lim(its/mem)ory)"
lim(its:
mem)ory: "2048Mi"
- Deployment
name: '*'
name: check-memory_requests_link_in_yaml_relative
validate:
pattern:
spec:
containers:
- (name): '*'
resources:
lim(its:
mem)ory: 2048Mi
requests:
memory: $(<=./../../lim(its/mem)ory)
validationFailureAction: Audit

35
test/policy/validate/check_node_for_cve_2022_0185.yaml
View file

@ -1,34 +1,35 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-kernel
annotations:
policies.kyverno.io/title: Check Node for CVE-2022-0185
policies.kyverno.io/category: Other
policies.kyverno.io/severity: high
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/subject: Node
policies.kyverno.io/description: >-
Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched.
The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2.
For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185.
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/category: Other
policies.kyverno.io/description: Linux CVE-2022-0185 can allow a container escape
in Kubernetes if left unpatched. The affected Linux kernel versions, at this
time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185.
This policy runs in background mode and flags an entry in the ClusterPolicyReport
if any Node is reporting one of the affected kernel versions.
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: high
policies.kyverno.io/subject: Node
policies.kyverno.io/title: Check Node for CVE-2022-0185
name: check-kernel
spec:
validationFailureAction: audit
admission: true
background: true
rules:
- name: kernel-validate
match:
- match:
any:
- resources:
kinds:
- Node
- Node
name: kernel-validate
validate:
message: "Kernel is vulnerable to CVE-2022-0185."
message: Kernel is vulnerable to CVE-2022-0185.
pattern:
status:
nodeInfo:
kernelVersion: "!5.10.84-1 & !5.15.5-2"
kernelVersion: '!5.10.84-1 & !5.15.5-2'
validationFailureAction: Audit

21
test/policy/validate/check_nodeport.yaml
View file

@ -1,16 +1,21 @@
apiVersion : kyverno.io/v1
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-node-port
spec:
admission: true
background: true
rules:
- name: check-node-port
match:
resources:
kinds:
- Service
- match:
any:
- resources:
kinds:
- Service
name: check-node-port
validate:
message: "NodePort type is not allowed"
message: NodePort type is not allowed
pattern:
spec:
type: "!NodePort"
type: '!NodePort'
validationFailureAction: Audit

37
test/policy/validate/check_not_root.yaml
View file

@ -1,21 +1,26 @@
apiVersion : kyverno.io/v1
kind : ClusterPolicy
metadata :
name : check-non-root
spec :
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-non-root
spec:
admission: true
background: true
rules:
- name: check-non-root
match:
resources:
- match:
any:
- resources:
kinds:
- Deployment
- StatefuleSet
- DaemonSet
validate:
message: "Root user is not allowed"
pattern:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
name: check-non-root
validate:
message: Root user is not allowed
pattern:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
validationFailureAction: Audit

46
test/policy/validate/check_probe_exists.yaml
View file

@ -1,36 +1,42 @@
apiVersion : kyverno.io/v1
kind : ClusterPolicy
metadata :
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-probe-exists
spec:
admission: true
background: true
rules:
- name: check-liveness-probe-exists
match:
resources:
kinds :
- StatefulSet
- match:
any:
- resources:
kinds:
- StatefulSet
name: check-liveness-probe-exists
validate:
message: "a livenessProbe is required"
message: a livenessProbe is required
pattern:
spec:
template:
spec:
containers:
- name: "*"
livenessProbe:
periodSeconds: ">0"
- name: check-readiness-probe-exists
match:
resources:
kinds :
- StatefulSet
- livenessProbe:
periodSeconds: '>0'
name: '*'
- match:
any:
- resources:
kinds:
- StatefulSet
name: check-readiness-probe-exists
validate:
message: "a readinessProbe is required"
message: a readinessProbe is required
pattern:
spec:
template:
spec:
containers:
- name: "*"
- name: '*'
readinessProbe:
periodSeconds: ">0"
periodSeconds: '>0'
validationFailureAction: Audit

48
test/policy/validate/check_probe_intervals.yaml
View file

@ -1,36 +1,42 @@
apiVersion : kyverno.io/v1
kind : ClusterPolicy
metadata :
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-probe-intervals
spec:
admission: true
background: true
rules:
- name: check-probe-intervals
match:
resources:
kinds :
- Deployment
- match:
any:
- resources:
kinds:
- Deployment
name: check-probe-intervals
validate:
message: "livenessProbe must be > 10s"
message: livenessProbe must be > 10s
pattern:
spec:
template:
spec:
containers:
- name: "*"
livenessProbe:
periodSeconds: ">10"
- name: check-probe-intervals
match:
resources:
kinds :
- Deployment
- livenessProbe:
periodSeconds: '>10'
name: '*'
- match:
any:
- resources:
kinds:
- Deployment
name: check-probe-intervals
validate:
message: "readinessProbe must be > 10s"
message: readinessProbe must be > 10s
pattern:
spec:
template:
spec:
containers:
- name: "*"
readinessProbe:
periodSeconds: ">10"
- name: '*'
readinessProbe:
periodSeconds: '>10'
validationFailureAction: Audit

26
test/policy/validate/check_registries.yaml
View file

@ -1,22 +1,26 @@
apiVersion : kyverno.io/v1
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-registries
spec:
admission: true
background: true
rules:
- name: check-registries
match:
resources:
kinds:
- Deployment
- StatefulSet
- match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
name: check-registries
validate:
message: "Registry is not allowed"
message: Registry is not allowed
pattern:
spec:
template:
spec:
containers:
- name: "*"
# Check allowed registries
image: "*/nirmata/* | https://private.registry.io/*"
- image: '*/nirmata/* | https://private.registry.io/*'
name: '*'
validationFailureAction: Audit