update policies and test cases

pkg/testrunner/testrunner_test.go

@@ -36,10 +36,6 @@ func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml")
 }
 
-func Test_validate_restrict_automount_sa_token_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/restrict_automount_sa_token.yaml")
-}
-
 func Test_validate_disallow_default_namespace(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/disallow_default_namespace.yaml")
 }
@@ -60,10 +56,6 @@ func Test_add_ns_quota(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/add_ns_quota.yaml")
 }
 
-func Test_validate_disallow_node_port(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/restrict_node_port.yaml")
-}
-
 func Test_validate_disallow_default_serviceaccount(t *testing.T) {
 	testScenario(t, "test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml")
 }
@@ -80,10 +72,6 @@ func Test_validate_volume_whitelist(t *testing.T) {
 	testScenario(t, "test/scenarios/other/scenario_validate_volume_whiltelist.yaml")
 }
 
-func Test_validate_restrict_image_registries(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/restrict_image_registries.yaml")
-}
-
 func Test_require_pod_requests_limits(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/require_pod_requests_limits.yaml")
 }
@@ -124,10 +112,22 @@ func Test_add_safe_to_evict_annotation2(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict2.yaml")
 }
 
+func Test_validate_restrict_automount_sa_token_pass(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/more/restrict_automount_sa_token.yaml")
+}
+
+func Test_restrict_node_port(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/more/restrict_node_port.yaml")
+}
+
+func Test_validate_restrict_image_registries(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/more/restrict_image_registries.yaml")
+}
+
 func Test_known_ingress(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_known_ingress_class.yaml")
+	testScenario(t, "test/scenarios/samples/more/restrict_ingress_classes.yaml")
 }
 
 func Test_unknown_ingress(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_unknown_ingress_class.yaml")
+	testScenario(t, "test/scenarios/samples/more/unknown_ingress_class.yaml")
 }

samples/KnownIngressClass.md

@@ -1,29 +0,0 @@
-# Require a known ingress class
-
-It can be useful to restrict Ingress resources to use a known ingress class that are allowed in the cluster.
-
-You can customize this policy to allow ingress classes that are configured in the cluster.
-
-## Policy YAML 
-
-[known_ingress.yaml](best_practices/known_ingress.yaml) 
-
-````yaml
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: known-ingress
-spec:
-  rules:
-  - name: known-ingress
-    match:
-      resources:
-        kinds:
-        - Ingress
-    validate:
-      message: "Unknown ingress class"
-      pattern:
-        metadata:
-          annotations:
-            kubernetes.io/ingress.class: "F5 | nginx"
-````

samples/README.md

@@ -61,4 +61,4 @@ The policies provide additional best practices and are worthy of close considera
 17. [Restrict image registries](RestrictImageRegistries.md)
 18. [Restrict `NodePort` services](RestrictNodePort.md)
 19. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md)
-20. [Restrict ingress classes](KnownIngressClass.md)
+20. [Restrict ingress classes](RestrictIngressClasses.md)

samples/RestrictIngressClasses.md

@@ -0,0 +1,27 @@
+# Restrict ingress classes
+
+It can be useful to restrict Ingress resources to a set of known ingress classes that are allowed in the cluster. You can customize this policy to allow ingress classes that are configured in the cluster.
+
+## Policy YAML 
+
+[restrict_ingress_classes.yaml](best_practices/restrict_ingress_classes.yaml) 
+
+````yaml
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: restrict-ingress-classes
+spec:
+  rules:
+  - name: validate-ingress
+    match:
+      resources:
+        kinds:
+        - Ingress
+    validate:
+      message: "Unknown ingress class"
+      pattern:
+        metadata:
+          annotations:
+            kubernetes.io/ingress.class: "F5 | nginx"
+````

samples/more/policy_validate_container_capabilities.yaml

@@ -1,24 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-container-capablities
-  annotations:
-    policies.kyverno.io/category: Security Context
-    policies.kyverno.io/description: Linux divides the privileges traditionally associated with 
-      superuser into distinct units, known as capabilities, which can be independently enabled 
-      or disabled by listing them in 'securityContext.capabilites'.
-spec:
-  rules:
-  - name: validate-container-capablities
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Allow certain linux capability"
-      pattern:
-        spec:
-          containers:
-          - securityContext:
-              capabilities:
-                add: ["NET_ADMIN"]

samples/more/policy_validate_sysctl_configs.yaml

@@ -1,26 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-allow-portrange-with-sysctl
-  annotations:
-    policies.kyverno.io/category: Security Context
-    policies.kyverno.io/description: The Sysctl interface allows to modify kernel parameters at 
-      runtime and in the pod can be specified under 'securityContext.sysctls'. If kernel parameters  
-      in the pod are to be modified, should be handled cautiously, and policy with rules restricting 
-      these options will be helpful. We can control minimum and maximum port that a network connection 
-      can use as its source(local) port by checking 'net.ipv4.ip_local_port_range'.
-spec:
-  rules:
-  - name: allow-portrange-with-sysctl
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Allowed port range is from 1024 to 65535"
-      pattern:
-        spec:
-          securityContext:
-            sysctls: 
-            - name: net.ipv4.ip_local_port_range
-              value: "1024 65535"

samples/more/policy_validate_user_group_fsgroup_id.yaml

@@ -1,48 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-userid-groupid-fsgroup
-  annotations:
-    policies.kyverno.io/category: Security Context
-    policies.kyverno.io/description: All processes inside the pod can be made to run with specific user 
-      and groupID by setting 'runAsUser' and 'runAsGroup' respectively. 'fsGroup' can be specified 
-      to make sure any file created in the volume with have the specified groupID. These options can be 
-      used to validate the IDs used for user and group.
-spec:
-  rules:
-  - name: validate-userid
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "User ID should be 1000"
-      pattern:
-        spec:
-          securityContext:
-            runAsUser: 1000
-  - name: validate-groupid
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Group ID should be 3000"
-      pattern:
-        spec:
-          securityContext:
-            runAsGroup: 3000
-  - name: validate-fsgroup
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "fsgroup should be 2000"
-      pattern:
-        spec:
-          securityContext:
-            fsGroup: 2000
-# Alls processes inside the pod can be made to run with specific user and groupID by setting runAsUser and runAsGroup respectively.
-# fsGroup can be specified to make sure any file created in the volume with have the specified groupID.
-# The above parameters can also be used in a validate policy to restrict user & group IDs.

samples/more/restrict_ingress_classes.yaml

@@ -1,13 +1,15 @@
 apiVersion : kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: known-ingress
+  name: restrict-ingress-classes
   annotations:
     policies.kyverno.io/category: Ingress
-    policies.kyverno.io/description: 
+    policies.kyverno.io/description: It can be useful to restrict Ingress resources to a set of 
+      known ingress classes that are allowed in the cluster. You can customize this policy to 
+      allow ingress classes that are configured in the cluster.
 spec:
   rules:
-  - name: known-ingress
+  - name: validate-ingress
     match:
       resources:
         kinds:

test/scenarios/samples/more/restrict_automount_sa_token.yaml

@@ -1,6 +1,6 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/restrict_automount_sa_token.yaml
+  policy: samples/more/restrict_automount_sa_token.yaml
   resource: test/resources/disallow_automountingapicred.yaml
 expected:
   validation:

test/scenarios/samples/more/restrict_image_registries.yaml

@@ -1,6 +1,6 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/restrict_image_registries.yaml
+  policy: samples/more/restrict_image_registries.yaml
   resource: test/resources//trusted_image_registries.yaml
 expected:
   validation:

test/scenarios/samples/more/restrict_ingress_classes.yaml

@@ -1,18 +1,17 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/known_ingress.yaml
+  policy: samples/more/restrict_ingress_classes.yaml
   resource: test/resources/ingress-nginx.yaml
 expected:
   validation:
     policyresponse:
-      policy: known-ingress
+      policy: restrict-ingress-classes
       resource:
         kind: Ingress
         apiVersion: v1
         namespace: ''
         name: test-ingress
       rules:
-        - name: known-ingress
+        - name: validate-ingress
           type: Validation
-          message: Validation rule 'known-ingress' succeeded.
           success: true

test/scenarios/samples/more/restrict_node_port.yaml

@@ -1,5 +1,5 @@
 input:
-  policy: samples/best_practices/restrict_node_port.yaml
+  policy: samples/more/restrict_node_port.yaml
   resource: test/resources/disallow_node_port.yaml
 expected:
   validation:

test/scenarios/samples/more/unknown_ingress_class.yaml

@@ -1,18 +1,17 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/known_ingress.yaml
+  policy: samples/more/restrict_ingress_classes.yaml
   resource: test/resources/ingress-haproxy.yaml
 expected:
   validation:
     policyresponse:
-      policy: known-ingress
+      policy: restrict-ingress-classes
       resource:
         kind: Ingress
         apiVersion: v1
         namespace: ''
         name: test-ingress
       rules:
-        - name: known-ingress
+        - name: validate-ingress
           type: Validation
-          message: "Validation error: Unknown ingress class\nValidation rule 'known-ingress' failed at path '/metadata/annotations/kubernetes.io/ingress.class/'."
           success: false