From 87d9cdd9dd10d2f370612d629b86654a2f8ac2bb Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 7 Oct 2019 12:46:34 -0700
Subject: [PATCH] best practice: volume white list

---
 examples/best_practices/README.md             |  3 +-
 .../policy_validate_volume_whitelist.yaml     | 34 +++++++++++++++++++
 .../resource_validate_volume_whitelist.yaml   | 18 ++++++++++
 pkg/testrunner/testrunner_test.go             |  4 +++
 .../scenario_validate_volume_whiltelist.yaml  | 19 +++++++++++
 5 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 examples/best_practices/policy_validate_volume_whitelist.yaml
 create mode 100644 examples/best_practices/resources/resource_validate_volume_whitelist.yaml
 create mode 100644 test/scenarios/test/scenario_validate_volume_whiltelist.yaml

diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md
index d7f7a965ce..ca06f79fcc 100644
--- a/examples/best_practices/README.md
+++ b/examples/best_practices/README.md
@@ -23,4 +23,5 @@
 | Require SELinux level of the container      | [policy_validate_selinux_context.yaml](policy_validate_selinux_context.yaml)                                                                      |
 | Allow default Proc Mount type      | [policy_validate_default_proc_mount.yaml](policy_validate_default_proc_mount.yaml)                                                                      |
 | Allow certain capability to be added      | [policy_validate_container_capabilities.yaml](policy_validate_container_capabilities.yaml)                                                                      |
-| Allow local tcp/udp port range      | [policy_validate_sysctl_configs.yaml](policy_validate_sysctl_configs.yaml)                                                                      |
\ No newline at end of file
+| Allow local tcp/udp port range      | [policy_validate_sysctl_configs.yaml](policy_validate_sysctl_configs.yaml)                                                                      |
+| Allowed volume plugins      | [policy_validate_volume_whitelist.yaml](policy_validate_volume_whitelist.yaml)                                                                      |
\ No newline at end of file
diff --git a/examples/best_practices/policy_validate_volume_whitelist.yaml b/examples/best_practices/policy_validate_volume_whitelist.yaml
new file mode 100644
index 0000000000..f5bbcb5307
--- /dev/null
+++ b/examples/best_practices/policy_validate_volume_whitelist.yaml
@@ -0,0 +1,34 @@
+apiVersion : kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-volumes-whitelist
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: validate-volumes-whitelist
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Volumes white list"
+      anyPattern:
+      - spec:
+          volumes:
+          - hostPath: "*"
+      - spec:
+          volumes:
+          - emptyDir: "*"
+      - spec:
+          volumes:
+          - configMap: "*"
+      # pattern:
+      # spec:
+      #   ^(volumes):
+      #     - hostPath: "*"
+      #     - emptyDir: "*"
+      #     - configMap: "*"
+
+
+
+
diff --git a/examples/best_practices/resources/resource_validate_volume_whitelist.yaml b/examples/best_practices/resources/resource_validate_volume_whitelist.yaml
new file mode 100644
index 0000000000..f6fcbfe21c
--- /dev/null
+++ b/examples/best_practices/resources/resource_validate_volume_whitelist.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-volumes
+spec:
+  containers:
+  - name: container-with-configmap
+    image: busybox
+    volumeMounts:
+      - name: cache-vol
+        mountPath: /cache
+  volumes:
+  - name: cache-vol
+    configMap:
+      name: log-config
+      items:
+      - key: log_level
+        path: log_level
\ No newline at end of file
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index e0d03810ff..f4e15af29c 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -131,3 +131,7 @@ func Test_validate_container_capabilities(t *testing.T) {
 func Test_validate_disallow_sysctl(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_sysctl_configs.yaml")
 }
+
+func Test_validate_volume_whitelist(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_volume_whiltelist.yaml")
+}
diff --git a/test/scenarios/test/scenario_validate_volume_whiltelist.yaml b/test/scenarios/test/scenario_validate_volume_whiltelist.yaml
new file mode 100644
index 0000000000..187911c667
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_volume_whiltelist.yaml
@@ -0,0 +1,19 @@
+
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_volume_whitelist.yaml
+  resource: examples/best_practices/resources/resource_validate_volume_whitelist.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-volumes-whitelist
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: test-volumes
+      rules:
+        - name: validate-volumes-whitelist
+          type: Validation
+          message: "Validation rule 'validate-volumes-whitelist' anyPattern[2] succesfully validated"
+          success: true
\ No newline at end of file