mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
feat: add chainsaw tests for pod security in exceptions (#9667)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy
GitHub
parent
ba01f95266
commit
ace5b59003
117 changed files with 2594 additions and 0 deletions
|
|
@ -0,0 +1,12 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose namespace is `staging-ns` and make use of the HostPath volume.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above.
|
||||
1. - Try to create a pod named `good-pod-1` in the `default` namespace and doesn't use the HostPath volume, expecting the creation to succeed.
|
||||
- Try to create a pod named `good-pod-2` in the `staging-ns` namespace that uses the HostPath volume, expecting the creation to succeed.
|
||||
- Try to create a pod named `bad-pod` in the `default` namespace that makes use of the HostPath volume, expecting the creation to fail.
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: exclude-hostpath-volume
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: ns.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: exception.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: pod-allowed-1.yaml
|
||||
- apply:
|
||||
file: pod-allowed-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected.yaml
|
||||
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: pod-security-exception
|
||||
namespace: policy-exception-ns
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: psa
|
||||
ruleNames:
|
||||
- baseline
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- staging-ns
|
||||
podSecurity:
|
||||
- controlName: "HostPath Volumes"
|
||||
restrictedField: "spec.volumes[*].hostPath"
|
||||
values:
|
||||
- "path"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: policy-exception-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-ns
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-1
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
volumes:
|
||||
- name: host
|
||||
hostPath:
|
||||
path: /var/lib1
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
volumes:
|
||||
- name: host
|
||||
hostPath:
|
||||
path: /var/lib1
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: baseline
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `allowPrivilegeEscalation` field.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above.
|
||||
1. - Try to create a pod named `good-pod-1` with `allowPrivilegeEscalation` set to `false` in the `default` namespace, expecting the creation to succeed.
|
||||
- Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to succeed.
|
||||
- Try to create a pod named `bad-pod-1` whose image is `busybox` in the `staging-ns` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-2` whose image is `nginx` in the `default` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to fail.
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: exclude-privilege-escalation
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: ns.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: exception.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: pod-allowed-1.yaml
|
||||
- apply:
|
||||
file: pod-allowed-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-1.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-2.yaml
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: pod-security-exception
|
||||
namespace: policy-exception-ns
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: psa
|
||||
ruleNames:
|
||||
- restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- staging-ns
|
||||
podSecurity:
|
||||
- controlName: "Privilege Escalation"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.allowPrivilegeEscalation"
|
||||
values:
|
||||
- "true"
|
||||
- controlName: "Privilege Escalation"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.allowPrivilegeEscalation"
|
||||
values:
|
||||
- "true"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: policy-exception-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-ns
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-1
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-1
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: busybox1
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: busybox2
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-2
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `securityContext.privileged` field in containers and initContainers only.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above.
|
||||
1. - Try to create a pod named `good-pod-1` with `securityContext.privileged` set to `false` in the `default` namespace, expecting the creation to succeed.
|
||||
- Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `securityContext.privileged` is set to `true` in containers and initContainers, expecting the creation to succeed.
|
||||
- Try to create a pod named `bad-pod-1` whose image is `nginx` in the `staging-ns` namespace and the `securityContext.privileged` is set to `true` in containers, initContainers and ephemeralContainers, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-2` whose image is `busybox` in the `staging-ns` namespace and the `securityContext.privileged` is set to `true` in containers and initContainers, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-3` whose image is `nginx` in the `default` namespace and the `securityContext.privileged` is set to `true`, expecting the creation to fail.
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: exclude-privileged-containers
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: ns.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: exception.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: pod-allowed-1.yaml
|
||||
- apply:
|
||||
file: pod-allowed-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-1.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-3.yaml
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: pod-security-exception
|
||||
namespace: policy-exception-ns
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: psa
|
||||
ruleNames:
|
||||
- baseline
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- staging-ns
|
||||
podSecurity:
|
||||
- controlName: "Privileged Containers"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.privileged"
|
||||
values:
|
||||
- "true"
|
||||
- controlName: "Privileged Containers"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.privileged"
|
||||
values:
|
||||
- "true"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: policy-exception-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-ns
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-1
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- "3000"
|
||||
securityContext:
|
||||
privileged: false
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- "3000"
|
||||
securityContext:
|
||||
privileged: true
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- "3000"
|
||||
securityContext:
|
||||
privileged: true
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-1
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
privileged: true
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
privileged: true
|
||||
ephemeralContainers:
|
||||
- name: nginx3
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
privileged: true
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: busybox1
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
privileged: true
|
||||
initContainers:
|
||||
- name: busybox2
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
privileged: true
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-3
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
privileged: true
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: true
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: baseline
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and fields:
|
||||
1. `spec.containers[*].securityContext.capabilities.add` is set to `foo`.
|
||||
2. `spec.initContainers[*].securityContext.capabilities.add` is set to `baz`.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above.
|
||||
1. - Try to create a pod named `good-pod-1` in the `default` namespace with `spec.containers[*].securityContext.capabilities.add` set to `NET_BIND_SERVICE`, expecting the creation to succeed.
|
||||
- Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.capabilities.add` set to `foo` and `spec.initContainers[*].securityContext.capabilities.add` set to `baz`, expecting the creation to succeed.
|
||||
- Try to create a pod named `bad-pod-1` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.capabilities.add` set to `baz` and `spec.initContainers[*].securityContext.capabilities.add` set to `foo`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-2` whose image is `busybox` in the `staging-ns` namespace with `spec.containers[*].securityContext.capabilities.add` set to `foo` and `spec.initContainers[*].securityContext.capabilities.add` set to `baz`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-3` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.capabilities.add` set to `foo` and `spec.ephemeralContainers[*].securityContext.capabilities.add` set to `baz`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-4` whose image is `nginx` in the `default` namespace with `spec.containers[*].securityContext.capabilities.add` set to `foo` and `spec.initContainers[*].securityContext.capabilities.add` set to `baz`, expecting the creation to fail.
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: exclude-restricted-capabilities
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: ns.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: exception.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: pod-allowed-1.yaml
|
||||
- apply:
|
||||
file: pod-allowed-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-1.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-3.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-4.yaml
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: pod-security-exception
|
||||
namespace: policy-exception-ns
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: psa
|
||||
ruleNames:
|
||||
- restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- staging-ns
|
||||
podSecurity:
|
||||
- controlName: "Capabilities"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.capabilities.add"
|
||||
values:
|
||||
- "foo"
|
||||
- controlName: "Capabilities"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.capabilities.add"
|
||||
values:
|
||||
- "baz"
|
||||
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: policy-exception-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-ns
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-1
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- NET_BIND_SERVICE
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- foo
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- baz
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-1
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- baz
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- foo
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: busybox1
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- foo
|
||||
initContainers:
|
||||
- name: busybox2
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- baz
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-3
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- foo
|
||||
ephemeralContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- baz
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-4
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- foo
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `spec.containers[*].securityContext.seccompProfile.type` to `Unconfined`.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above.
|
||||
1. - Try to create a pod named `good-pod-1` in the `default` namespace that doesn't violate the restricted profile, expecting the creation to succeed.
|
||||
- Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `spec.containers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to succeed.
|
||||
- Try to create a pod named `bad-pod-1` whose image is `busybox` in the `staging-ns` namespace and the `spec.containers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `spec.initContainers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-3` whose image is `nginx` in the `default` namespace and the `spec.containers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to fail.
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: exclude-restricted-seccomp
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: ns.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: exception.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: pod-allowed-1.yaml
|
||||
- apply:
|
||||
file: pod-allowed-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-1.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-3.yaml
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: pod-security-exception
|
||||
namespace: policy-exception-ns
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: psa
|
||||
ruleNames:
|
||||
- restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- staging-ns
|
||||
podSecurity:
|
||||
- controlName: "Seccomp"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.seccompProfile.type"
|
||||
values:
|
||||
- "Unconfined"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: policy-exception-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-ns
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-1
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-1
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: busybox
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-3
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `spec.containers[*].securityContext.runAsUser` field to 0.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above.
|
||||
1. - Try to create a pod named `good-pod-1` in the `default` namespace that doesn't violate the restricted profile, expecting the creation to succeed.
|
||||
- Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsUser` is set to 0, expecting the creation to succeed.
|
||||
- Try to create a pod named `bad-pod-1` whose image is `nginx` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsUser` is set to 0 and the `spec.initContainers[*].securityContext.runAsNonRoot` is set to 0, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-2` whose image is `busybox` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsUser` is set to 0, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-3` whose image is `nginx` in the `default` namespace and the `spec.containers[*].securityContext.runAsUser` is set to 0, expecting the creation to fail.
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: exclude-running-as-nonroot-user
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: ns.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: exception.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: pod-allowed-1.yaml
|
||||
- apply:
|
||||
file: pod-allowed-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-1.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-3.yaml
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: pod-security-exception
|
||||
namespace: policy-exception-ns
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: psa
|
||||
ruleNames:
|
||||
- restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- staging-ns
|
||||
podSecurity:
|
||||
- controlName: "Running as Non-root user"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.runAsUser"
|
||||
values:
|
||||
- "0"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: policy-exception-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-ns
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-1
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 10
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-1
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: busybox1
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-3
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `spec.containers[*].securityContext.runAsNonRoot` field to `false`.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above.
|
||||
1. - Try to create a pod named `good-pod-1` in the `default` namespace that doesn't violate the restricted profile, expecting the creation to succeed.
|
||||
- Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsNonRoot` is set to `false`, expecting the creation to succeed.
|
||||
- Try to create a pod named `bad-pod-1` whose image is `nginx` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsNonRoot` is set to `false` and the `spec.initContainers[*].securityContext.runAsNonRoot` is set to `false`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-2` whose image is `busybox` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsNonRoot` is set to `false`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-3` whose image is `nginx` in the `default` namespace and the `spec.containers[*].securityContext.runAsNonRoot` is set to `false`, expecting the creation to fail.
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: exclude-running-as-nonroot
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: ns.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: exception.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: pod-allowed-1.yaml
|
||||
- apply:
|
||||
file: pod-allowed-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-1.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-3.yaml
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: pod-security-exception
|
||||
namespace: policy-exception-ns
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: psa
|
||||
ruleNames:
|
||||
- restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- staging-ns
|
||||
podSecurity:
|
||||
- controlName: "Running as Non-root"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.runAsNonRoot"
|
||||
values:
|
||||
- "false"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: policy-exception-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-ns
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-1
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-1
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: busybox1
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-3
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod in the `staging-ns` namespace and sets the `spec.securityContext.seccompProfile.type` to `Unconfined`.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above.
|
||||
1. - Try to create a pod named `good-pod-1` in the `default` namespace that doesn't violate the baseline profile, expecting the creation to succeed.
|
||||
- Try to create a pod named `good-pod-2` in the `staging-ns` namespace and the `spec.securityContext.seccompProfile.type` is set to `Unconfined` and the `spec.containers[*].securityContext.seccompProfile.type` is set to `RuntimeDefault`, expecting the creation to succeed.
|
||||
- Try to create a pod named `bad-pod-1` in the `staging-ns` namespace and the `spec.securityContext.seccompProfile.type` is set to `Unconfined` and the `spec.containers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-2` in the `default` namespace and the `spec.securityContext.seccompProfile.type` is set to `Unconfined` and the `spec.containers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to fail.
|
||||
39
test/conformance/chainsaw/exceptions/exclude-seccomp/chainsaw-test.yaml
Executable file
39
test/conformance/chainsaw/exceptions/exclude-seccomp/chainsaw-test.yaml
Executable file
|
|
@ -0,0 +1,39 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: exclude-seccomp
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: ns.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: exception.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: pod-allowed-1.yaml
|
||||
- apply:
|
||||
file: pod-allowed-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-1.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-2.yaml
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: pod-security-exception
|
||||
namespace: policy-exception-ns
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: psa
|
||||
ruleNames:
|
||||
- baseline
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- staging-ns
|
||||
podSecurity:
|
||||
- controlName: "Seccomp"
|
||||
restrictedField: "spec.securityContext.seccompProfile.type"
|
||||
values:
|
||||
- "Unconfined"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: policy-exception-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-ns
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-1
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-1
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-2
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: baseline
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and fields:
|
||||
1. `spec.containers[*].securityContext.seLinuxOptions.type` is set to `foo`.
|
||||
2. `spec.initContainers[*].securityContext.seLinuxOptions.type` is set to `bar`.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above.
|
||||
1. - Try to create a pod named `good-pod-1` in the `default` namespace that doesn't violate the baseline profile, expecting the creation to succeed.
|
||||
- Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.seLinuxOptions.type` set to `foo` and `spec.initContainers[*].securityContext.seLinuxOptions.type` set to `bar`, expecting the creation to succeed.
|
||||
- Try to create a pod named `bad-pod-1` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.seLinuxOptions.type` set to `bar` and `spec.initContainers[*].securityContext.seLinuxOptions.type` set to `foo`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-2` whose image is `busybox` in the `staging-ns` namespace with `spec.containers[*].securityContext.seLinuxOptions.type` set to `foo` and `spec.initContainers[*].securityContext.seLinuxOptions.type` set to `bar`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-3` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.seLinuxOptions.type` set to `foo` and `spec.ephemeralContainers[*].securityContext.capabilities.add` set to `bar`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-4` whose image is `nginx` in the `default` namespace with `spec.containers[*].securityContext.seLinuxOptions.type` set to `foo` and `spec.initContainers[*].securityContext.seLinuxOptions.type` set to `bar`, expecting the creation to fail.
|
||||
49
test/conformance/chainsaw/exceptions/exclude-selinux/chainsaw-test.yaml
Executable file
49
test/conformance/chainsaw/exceptions/exclude-selinux/chainsaw-test.yaml
Executable file
|
|
@ -0,0 +1,49 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: exclude-selinux
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: ns.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: exception.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: pod-allowed-1.yaml
|
||||
- apply:
|
||||
file: pod-allowed-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-1.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-3.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-4.yaml
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: pod-security-exception
|
||||
namespace: policy-exception-ns
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: psa
|
||||
ruleNames:
|
||||
- baseline
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- staging-ns
|
||||
podSecurity:
|
||||
- controlName: "SELinux"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.seLinuxOptions.type"
|
||||
values:
|
||||
- "foo"
|
||||
- controlName: "SELinux"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.seLinuxOptions.type"
|
||||
values:
|
||||
- "bar"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: policy-exception-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-ns
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-1
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: container_t
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: container_init_t
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: foo
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: bar
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-1
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: bar
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: foo
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-2
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: busybox1
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: foo
|
||||
initContainers:
|
||||
- name: busybox2
|
||||
image: busybox
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: bar
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-3
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: foo
|
||||
ephemeralContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: bar
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod-4
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: foo
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: bar
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: psa
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: baseline
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose namespace is `staging-ns` namespace and sets the `spec.securityContext.sysctls[*].name` to `fake.value`.
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a cluster policy
|
||||
- Assert the policy becomes ready
|
||||
1. - Create a policy exception for the cluster policy created above.
|
||||
1. - Try to create a pod named `good-pod-1` in the `default` namespace whose `spec.securityContext.sysctls[0].name` field is set to `net.ipv4.ip_unprivileged_port_start`, expecting the creation to succeed.
|
||||
- Try to create a pod named `good-pod-2` in the `staging-ns` namespace whose `spec.securityContext.sysctls[0].name` field is set to `fake.value`, expecting the creation to succeed.
|
||||
- Try to create a pod named `bad-pod-1` in the `staging-ns` namespace whose `spec.securityContext.sysctls[0].name` field is set to `unknown`, expecting the creation to fail.
|
||||
- Try to create a pod named `bad-pod-2` in the `default` namespace whose `spec.securityContext.sysctls[0].name` field is set to `fake.value`, expecting the creation to fail.
|
||||
39
test/conformance/chainsaw/exceptions/exclude-sysctls/chainsaw-test.yaml
Executable file
39
test/conformance/chainsaw/exceptions/exclude-sysctls/chainsaw-test.yaml
Executable file
|
|
@ -0,0 +1,39 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: exclude-sysctls
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: ns.yaml
|
||||
- assert:
|
||||
file: ns.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: exception.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- apply:
|
||||
file: pod-allowed-1.yaml
|
||||
- apply:
|
||||
file: pod-allowed-2.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-1.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-rejected-2.yaml
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: pod-security-exception
|
||||
namespace: policy-exception-ns
|
||||
spec:
|
||||
exceptions:
|
||||
- policyName: psa
|
||||
ruleNames:
|
||||
- baseline
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- staging-ns
|
||||
podSecurity:
|
||||
- controlName: "Sysctls"
|
||||
restrictedField: "spec.securityContext.sysctls[*].name"
|
||||
values:
|
||||
- "fake.value"
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue