Merge branch '451_fix_disallow_host_net_port' into 452_make_sample_policy_rule_names_consistent

# Conflicts: # samples/best_practices/disallow_host_network_hostport.yaml # test/scenarios/samples/best_practices/disallow_host_network_port.yaml
2025-03-29 10:55:05 +00:00 · 2019-11-10 17:35:43 -08:00 · 2019-11-10 17:35:43 -08:00 · 7f54e8e2e3
commit 7f54e8e2e3
parent 20736e5e81 0fa95d71d0
4 changed files with 26 additions and 10 deletions
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -61,7 +61,7 @@ func Test_validate_require_namespace_quota(t *testing.T) {
 }

 func Test_validate_disallow_node_port(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_node_port.yaml")
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_node_port.yaml")
 }

 func Test_validate_disallow_default_serviceaccount(t *testing.T) {
--- a/samples/best_practices/disallow_host_network_port.yaml
+++ b/samples/best_practices/disallow_host_network_port.yaml
@ -1,20 +1,33 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: disallow-host-network-port
+  name: host-network-port
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: Using 'hostPort' and 'hostNetwork' allows pods to share 
+      the host network stack, allowing potential snooping of network traffic from an application pod.
 spec:
  rules:
-  - name: validate-host-network-port
+  - name: validate-host-network
    match:
      resources:
        kinds:
        - Pod
    validate:
-      message: "Using host networking is not allowed"
+      message: "Use of hostNetwork is not allowed"
+      pattern:
+        spec:
+          =(hostNetwork): false
+  - name: validate-host-port
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Use of hostPort is not allowed"
      pattern:
        spec:
-          (hostNetwork): false
          containers:
          - name: "*"
-            ports:
-            - hostPort: null
+            =(ports):
+              - X(hostPort): null
--- a/test/scenarios/samples/best_practices/disallow_host_network_port.yaml
+++ b/test/scenarios/samples/best_practices/disallow_host_network_port.yaml
@ -5,13 +5,16 @@ input:
 expected:
  validation:
    policyresponse:
-      policy: validate-host-network-hostport
+      policy: host-network-port
      resource:
        kind: Pod
        apiVersion: v1
        namespace: ''
        name: "nginx-host-network"
      rules:
-        - name: validate-host-network-port
+        - name: validate-host-network
          type: Validation
-          success: false   
+          success: true   
+        - name: validate-host-port
+          type: Validation
+          success: false             
--- a/test/scenarios/samples/best_practices/scenario_validate_/disallow_node_port.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_/disallow_node_port.yaml