From ace5b5900302a5e872db0e62d934b9d986115d42 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy <mariam.fahmy@nirmata.com> Date: Tue, 6 Feb 2024 15:07:58 +0200 Subject: [PATCH] feat: add chainsaw tests for pod security in exceptions (#9667) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --- .../exclude-hostpath-volume/README.md | 12 +++++ .../chainsaw-test.yaml | 35 +++++++++++++ .../exclude-hostpath-volume/exception.yaml | 20 ++++++++ .../exclude-hostpath-volume/ns.yaml | 9 ++++ .../pod-allowed-1.yaml | 12 +++++ .../pod-allowed-2.yaml | 16 ++++++ .../exclude-hostpath-volume/pod-rejected.yaml | 16 ++++++ .../policy-assert.yaml | 9 ++++ .../exclude-hostpath-volume/policy.yaml | 18 +++++++ .../exclude-privilege-escalation/README.md | 13 +++++ .../chainsaw-test.yaml | 39 +++++++++++++++ .../exception.yaml | 28 +++++++++++ .../exclude-privilege-escalation/ns.yaml | 9 ++++ .../pod-allowed-1.yaml | 34 +++++++++++++ .../pod-allowed-2.yaml | 34 +++++++++++++ .../pod-rejected-1.yaml | 34 +++++++++++++ .../pod-rejected-2.yaml | 34 +++++++++++++ .../policy-assert.yaml | 9 ++++ .../exclude-privilege-escalation/policy.yaml | 18 +++++++ .../exclude-privileged-containers/README.md | 14 ++++++ .../chainsaw-test.yaml | 44 +++++++++++++++++ .../exception.yaml | 28 +++++++++++ .../exclude-privileged-containers/ns.yaml | 9 ++++ .../pod-allowed-1.yaml | 14 ++++++ .../pod-allowed-2.yaml | 22 +++++++++ .../pod-rejected-1.yaml | 30 ++++++++++++ .../pod-rejected-2.yaml | 22 +++++++++ .../pod-rejected-3.yaml | 23 +++++++++ .../policy-assert.yaml | 9 ++++ .../exclude-privileged-containers/policy.yaml | 18 +++++++ .../exclude-restricted-capabilities/README.md | 17 +++++++ .../chainsaw-test.yaml | 49 +++++++++++++++++++ .../exception.yaml | 29 +++++++++++ .../exclude-restricted-capabilities/ns.yaml | 9 ++++ .../pod-allowed-1.yaml | 36 ++++++++++++++ .../pod-allowed-2.yaml | 38 ++++++++++++++ .../pod-rejected-1.yaml | 38 ++++++++++++++ .../pod-rejected-2.yaml | 38 ++++++++++++++ .../pod-rejected-3.yaml | 38 ++++++++++++++ .../pod-rejected-4.yaml | 36 ++++++++++++++ .../policy-assert.yaml | 9 ++++ .../policy.yaml | 18 +++++++ .../exclude-restricted-seccomp/README.md | 14 ++++++ .../chainsaw-test.yaml | 44 +++++++++++++++++ .../exclude-restricted-seccomp/exception.yaml | 22 +++++++++ .../exclude-restricted-seccomp/ns.yaml | 9 ++++ .../pod-allowed-1.yaml | 37 ++++++++++++++ .../pod-allowed-2.yaml | 20 ++++++++ .../pod-rejected-1.yaml | 20 ++++++++ .../pod-rejected-2.yaml | 34 +++++++++++++ .../pod-rejected-3.yaml | 20 ++++++++ .../policy-assert.yaml | 9 ++++ .../exclude-restricted-seccomp/policy.yaml | 18 +++++++ .../exclude-running-as-nonroot-user/README.md | 14 ++++++ .../chainsaw-test.yaml | 44 +++++++++++++++++ .../exception.yaml | 22 +++++++++ .../exclude-running-as-nonroot-user/ns.yaml | 9 ++++ .../pod-allowed-1.yaml | 36 ++++++++++++++ .../pod-allowed-2.yaml | 36 ++++++++++++++ .../pod-rejected-1.yaml | 36 ++++++++++++++ .../pod-rejected-2.yaml | 21 ++++++++ .../pod-rejected-3.yaml | 21 ++++++++ .../policy-assert.yaml | 9 ++++ .../policy.yaml | 18 +++++++ .../exclude-running-as-nonroot/README.md | 14 ++++++ .../chainsaw-test.yaml | 44 +++++++++++++++++ .../exclude-running-as-nonroot/exception.yaml | 22 +++++++++ .../exclude-running-as-nonroot/ns.yaml | 9 ++++ .../pod-allowed-1.yaml | 34 +++++++++++++ .../pod-allowed-2.yaml | 34 +++++++++++++ .../pod-rejected-1.yaml | 34 +++++++++++++ .../pod-rejected-2.yaml | 20 ++++++++ .../pod-rejected-3.yaml | 20 ++++++++ .../policy-assert.yaml | 9 ++++ .../exclude-running-as-nonroot/policy.yaml | 18 +++++++ .../exceptions/exclude-seccomp/README.md | 13 +++++ .../exclude-seccomp/chainsaw-test.yaml | 39 +++++++++++++++ .../exceptions/exclude-seccomp/exception.yaml | 20 ++++++++ .../exceptions/exclude-seccomp/ns.yaml | 9 ++++ .../exclude-seccomp/pod-allowed-1.yaml | 24 +++++++++ .../exclude-seccomp/pod-allowed-2.yaml | 18 +++++++ .../exclude-seccomp/pod-rejected-1.yaml | 18 +++++++ .../exclude-seccomp/pod-rejected-2.yaml | 18 +++++++ .../exclude-seccomp/policy-assert.yaml | 9 ++++ .../exceptions/exclude-seccomp/policy.yaml | 18 +++++++ .../exceptions/exclude-selinux/README.md | 17 +++++++ .../exclude-selinux/chainsaw-test.yaml | 49 +++++++++++++++++++ .../exceptions/exclude-selinux/exception.yaml | 28 +++++++++++ .../exceptions/exclude-selinux/ns.yaml | 9 ++++ .../exclude-selinux/pod-allowed-1.yaml | 24 +++++++++ .../exclude-selinux/pod-allowed-2.yaml | 24 +++++++++ .../exclude-selinux/pod-rejected-1.yaml | 24 +++++++++ .../exclude-selinux/pod-rejected-2.yaml | 24 +++++++++ .../exclude-selinux/pod-rejected-3.yaml | 24 +++++++++ .../exclude-selinux/pod-rejected-4.yaml | 24 +++++++++ .../exclude-selinux/policy-assert.yaml | 9 ++++ .../exceptions/exclude-selinux/policy.yaml | 18 +++++++ .../exceptions/exclude-sysctls/README.md | 13 +++++ .../exclude-sysctls/chainsaw-test.yaml | 39 +++++++++++++++ .../exceptions/exclude-sysctls/exception.yaml | 20 ++++++++ .../exceptions/exclude-sysctls/ns.yaml | 9 ++++ .../exclude-sysctls/pod-allowed-1.yaml | 15 ++++++ .../exclude-sysctls/pod-allowed-2.yaml | 15 ++++++ .../exclude-sysctls/pod-rejected-1.yaml | 15 ++++++ .../exclude-sysctls/pod-rejected-2.yaml | 15 ++++++ .../exclude-sysctls/policy-assert.yaml | 9 ++++ .../exceptions/exclude-sysctls/policy.yaml | 18 +++++++ .../exceptions/exclude-volume-types/README.md | 13 +++++ .../exclude-volume-types/chainsaw-test.yaml | 39 +++++++++++++++ .../exclude-volume-types/exception.yaml | 20 ++++++++ .../exceptions/exclude-volume-types/ns.yaml | 9 ++++ .../exclude-volume-types/pod-allowed-1.yaml | 24 +++++++++ .../exclude-volume-types/pod-allowed-2.yaml | 24 +++++++++ .../exclude-volume-types/pod-rejected-1.yaml | 26 ++++++++++ .../exclude-volume-types/pod-rejected-2.yaml | 26 ++++++++++ .../exclude-volume-types/policy-assert.yaml | 9 ++++ .../exclude-volume-types/policy.yaml | 18 +++++++ 117 files changed, 2594 insertions(+) create mode 100644 test/conformance/chainsaw/exceptions/exclude-hostpath-volume/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-hostpath-volume/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-hostpath-volume/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-rejected.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privilege-escalation/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-privilege-escalation/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privilege-escalation/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privilege-escalation/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-rejected-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-rejected-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privileged-containers/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-privileged-containers/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privileged-containers/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privileged-containers/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-3.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-3.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-4.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-3.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-3.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-3.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-seccomp/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-seccomp/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-seccomp/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-seccomp/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-seccomp/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-seccomp/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-seccomp/pod-rejected-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-seccomp/pod-rejected-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-seccomp/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-selinux/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-3.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-4.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-sysctls/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-sysctls/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-sysctls/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-sysctls/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-sysctls/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-sysctls/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-sysctls/pod-rejected-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-sysctls/pod-rejected-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-sysctls/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-volume-types/README.md create mode 100755 test/conformance/chainsaw/exceptions/exclude-volume-types/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-volume-types/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-volume-types/ns.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-volume-types/pod-allowed-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-volume-types/pod-allowed-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-volume-types/pod-rejected-1.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-volume-types/pod-rejected-2.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-volume-types/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/README.md b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/README.md new file mode 100644 index 0000000000..f3f3494cbe --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose namespace is `staging-ns` and make use of the HostPath volume. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` in the `default` namespace and doesn't use the HostPath volume, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` in the `staging-ns` namespace that uses the HostPath volume, expecting the creation to succeed. + - Try to create a pod named `bad-pod` in the `default` namespace that makes use of the HostPath volume, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/chainsaw-test.yaml new file mode 100755 index 0000000000..f404ff83f0 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/chainsaw-test.yaml @@ -0,0 +1,35 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-hostpath-volume +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected.yaml + diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml new file mode 100644 index 0000000000..b3c8ee87e5 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - baseline + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "HostPath Volumes" + restrictedField: "spec.volumes[*].hostPath" + values: + - "path" diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-allowed-1.yaml new file mode 100644 index 0000000000..d76f6b9898 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-allowed-1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-allowed-2.yaml new file mode 100644 index 0000000000..f185d8690b --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-allowed-2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + volumes: + - name: host + hostPath: + path: /var/lib1 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-rejected.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-rejected.yaml new file mode 100644 index 0000000000..192513bc08 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-rejected.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default +spec: + volumes: + - name: host + hostPath: + path: /var/lib1 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml new file mode 100644 index 0000000000..863539b590 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/README.md b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/README.md new file mode 100644 index 0000000000..ceafcc7ce1 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/README.md @@ -0,0 +1,13 @@ +## Description + +This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `allowPrivilegeEscalation` field. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` with `allowPrivilegeEscalation` set to `false` in the `default` namespace, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to succeed. + - Try to create a pod named `bad-pod-1` whose image is `busybox` in the `staging-ns` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to fail. + - Try to create a pod named `bad-pod-2` whose image is `nginx` in the `default` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/chainsaw-test.yaml new file mode 100755 index 0000000000..054aece82a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/chainsaw-test.yaml @@ -0,0 +1,39 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-privilege-escalation +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-2.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/exception.yaml new file mode 100644 index 0000000000..52ced416e4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/exception.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - restricted + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "Privilege Escalation" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.allowPrivilegeEscalation" + values: + - "true" + - controlName: "Privilege Escalation" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.allowPrivilegeEscalation" + values: + - "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-allowed-1.yaml new file mode 100644 index 0000000000..bda99bfc8b --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-allowed-1.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-allowed-2.yaml new file mode 100644 index 0000000000..e93602704b --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-allowed-2.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-rejected-1.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-rejected-1.yaml new file mode 100644 index 0000000000..fd0aa04689 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-rejected-1.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-1 + namespace: staging-ns +spec: + containers: + - name: busybox1 + image: busybox + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - name: busybox2 + image: busybox + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-rejected-2.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-rejected-2.yaml new file mode 100644 index 0000000000..5b29b22aea --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-rejected-2.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-2 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml new file mode 100644 index 0000000000..8220f00568 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/README.md b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/README.md new file mode 100644 index 0000000000..9392f405e5 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/README.md @@ -0,0 +1,14 @@ +## Description + +This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `securityContext.privileged` field in containers and initContainers only. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` with `securityContext.privileged` set to `false` in the `default` namespace, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `securityContext.privileged` is set to `true` in containers and initContainers, expecting the creation to succeed. + - Try to create a pod named `bad-pod-1` whose image is `nginx` in the `staging-ns` namespace and the `securityContext.privileged` is set to `true` in containers, initContainers and ephemeralContainers, expecting the creation to fail. + - Try to create a pod named `bad-pod-2` whose image is `busybox` in the `staging-ns` namespace and the `securityContext.privileged` is set to `true` in containers and initContainers, expecting the creation to fail. + - Try to create a pod named `bad-pod-3` whose image is `nginx` in the `default` namespace and the `securityContext.privileged` is set to `true`, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/chainsaw-test.yaml new file mode 100755 index 0000000000..73e8ab0c07 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-privileged-containers +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-3.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/exception.yaml new file mode 100644 index 0000000000..85488ca435 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/exception.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - baseline + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "Privileged Containers" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.privileged" + values: + - "true" + - controlName: "Privileged Containers" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.privileged" + values: + - "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-allowed-1.yaml new file mode 100644 index 0000000000..3affb8c126 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-allowed-1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - "3000" + securityContext: + privileged: false diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-allowed-2.yaml new file mode 100644 index 0000000000..8e1dd47d1c --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-allowed-2.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - "3000" + securityContext: + privileged: true + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - "3000" + securityContext: + privileged: true diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-1.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-1.yaml new file mode 100644 index 0000000000..176e9f4f67 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-1 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + privileged: true + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + privileged: true + ephemeralContainers: + - name: nginx3 + image: nginx + args: + - sleep + - 1d + securityContext: + privileged: true diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-2.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-2.yaml new file mode 100644 index 0000000000..71d293afdf --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-2.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-2 + namespace: staging-ns +spec: + containers: + - name: busybox1 + image: busybox + args: + - sleep + - 1d + securityContext: + privileged: true + initContainers: + - name: busybox2 + image: busybox + args: + - sleep + - 1d + securityContext: + privileged: true diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-3.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-3.yaml new file mode 100644 index 0000000000..852ec62c01 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/pod-rejected-3.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-3 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + privileged: true + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + windowsOptions: + hostProcess: true diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml new file mode 100644 index 0000000000..863539b590 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/README.md b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/README.md new file mode 100644 index 0000000000..6750f87734 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/README.md @@ -0,0 +1,17 @@ +## Description + +This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and fields: +1. `spec.containers[*].securityContext.capabilities.add` is set to `foo`. +2. `spec.initContainers[*].securityContext.capabilities.add` is set to `baz`. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` in the `default` namespace with `spec.containers[*].securityContext.capabilities.add` set to `NET_BIND_SERVICE`, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.capabilities.add` set to `foo` and `spec.initContainers[*].securityContext.capabilities.add` set to `baz`, expecting the creation to succeed. + - Try to create a pod named `bad-pod-1` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.capabilities.add` set to `baz` and `spec.initContainers[*].securityContext.capabilities.add` set to `foo`, expecting the creation to fail. + - Try to create a pod named `bad-pod-2` whose image is `busybox` in the `staging-ns` namespace with `spec.containers[*].securityContext.capabilities.add` set to `foo` and `spec.initContainers[*].securityContext.capabilities.add` set to `baz`, expecting the creation to fail. + - Try to create a pod named `bad-pod-3` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.capabilities.add` set to `foo` and `spec.ephemeralContainers[*].securityContext.capabilities.add` set to `baz`, expecting the creation to fail. + - Try to create a pod named `bad-pod-4` whose image is `nginx` in the `default` namespace with `spec.containers[*].securityContext.capabilities.add` set to `foo` and `spec.initContainers[*].securityContext.capabilities.add` set to `baz`, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/chainsaw-test.yaml new file mode 100755 index 0000000000..30765f7b1e --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/chainsaw-test.yaml @@ -0,0 +1,49 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-restricted-capabilities +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-3.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-4.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/exception.yaml new file mode 100644 index 0000000000..128a7df339 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/exception.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - restricted + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "Capabilities" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.capabilities.add" + values: + - "foo" + - controlName: "Capabilities" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.capabilities.add" + values: + - "baz" + diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-allowed-1.yaml new file mode 100644 index 0000000000..d02be677b9 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-allowed-1.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-allowed-2.yaml new file mode 100644 index 0000000000..01c58640b1 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-allowed-2.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - baz diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-1.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-1.yaml new file mode 100644 index 0000000000..b0b729c535 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-1.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-1 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - baz + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - foo diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-2.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-2.yaml new file mode 100644 index 0000000000..2508b22e26 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-2.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-2 + namespace: staging-ns +spec: + containers: + - name: busybox1 + image: busybox + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - foo + initContainers: + - name: busybox2 + image: busybox + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - baz diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-3.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-3.yaml new file mode 100644 index 0000000000..6c39a519cc --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-3.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-3 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - foo + ephemeralContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - baz diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-4.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-4.yaml new file mode 100644 index 0000000000..75ec32df9f --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/pod-rejected-4.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-4 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml new file mode 100644 index 0000000000..8220f00568 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/README.md b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/README.md new file mode 100644 index 0000000000..15ac40828c --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/README.md @@ -0,0 +1,14 @@ +## Description + +This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `spec.containers[*].securityContext.seccompProfile.type` to `Unconfined`. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` in the `default` namespace that doesn't violate the restricted profile, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `spec.containers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to succeed. + - Try to create a pod named `bad-pod-1` whose image is `busybox` in the `staging-ns` namespace and the `spec.containers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to fail. + - Try to create a pod named `bad-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `spec.initContainers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to fail. + - Try to create a pod named `bad-pod-3` whose image is `nginx` in the `default` namespace and the `spec.containers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/chainsaw-test.yaml new file mode 100755 index 0000000000..26a80433d6 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-restricted-seccomp +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-3.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/exception.yaml new file mode 100644 index 0000000000..880f54a86b --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/exception.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - restricted + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "Seccomp" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.seccompProfile.type" + values: + - "Unconfined" \ No newline at end of file diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-allowed-1.yaml new file mode 100644 index 0000000000..0a20e657ab --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-allowed-1.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-allowed-2.yaml new file mode 100644 index 0000000000..34f14077c2 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-allowed-2.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-1.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-1.yaml new file mode 100644 index 0000000000..4c82f5f96c --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-1 + namespace: staging-ns +spec: + containers: + - name: busybox + image: busybox + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-2.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-2.yaml new file mode 100644 index 0000000000..dadbf33498 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-2.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-2 + namespace: staging-ns +spec: + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-3.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-3.yaml new file mode 100644 index 0000000000..cc5833df19 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/pod-rejected-3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-3 + namespace: default +spec: + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml new file mode 100644 index 0000000000..8220f00568 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/README.md b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/README.md new file mode 100644 index 0000000000..1c2b27cee1 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/README.md @@ -0,0 +1,14 @@ +## Description + +This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `spec.containers[*].securityContext.runAsUser` field to 0. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` in the `default` namespace that doesn't violate the restricted profile, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsUser` is set to 0, expecting the creation to succeed. + - Try to create a pod named `bad-pod-1` whose image is `nginx` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsUser` is set to 0 and the `spec.initContainers[*].securityContext.runAsNonRoot` is set to 0, expecting the creation to fail. + - Try to create a pod named `bad-pod-2` whose image is `busybox` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsUser` is set to 0, expecting the creation to fail. + - Try to create a pod named `bad-pod-3` whose image is `nginx` in the `default` namespace and the `spec.containers[*].securityContext.runAsUser` is set to 0, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/chainsaw-test.yaml new file mode 100755 index 0000000000..6ca56ab1fc --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-running-as-nonroot-user +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-3.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/exception.yaml new file mode 100644 index 0000000000..da3b1d1283 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/exception.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - restricted + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "Running as Non-root user" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.runAsUser" + values: + - "0" \ No newline at end of file diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-allowed-1.yaml new file mode 100644 index 0000000000..dc84977e94 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-allowed-1.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-allowed-2.yaml new file mode 100644 index 0000000000..4583c51fa0 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-allowed-2.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 10 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-1.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-1.yaml new file mode 100644 index 0000000000..265d403815 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-1.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-1 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-2.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-2.yaml new file mode 100644 index 0000000000..730163251f --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-2 + namespace: staging-ns +spec: + containers: + - name: busybox1 + image: busybox + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-3.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-3.yaml new file mode 100644 index 0000000000..a22909086a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/pod-rejected-3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-3 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml new file mode 100644 index 0000000000..8220f00568 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/README.md b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/README.md new file mode 100644 index 0000000000..230b668823 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/README.md @@ -0,0 +1,14 @@ +## Description + +This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `spec.containers[*].securityContext.runAsNonRoot` field to `false`. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` in the `default` namespace that doesn't violate the restricted profile, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsNonRoot` is set to `false`, expecting the creation to succeed. + - Try to create a pod named `bad-pod-1` whose image is `nginx` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsNonRoot` is set to `false` and the `spec.initContainers[*].securityContext.runAsNonRoot` is set to `false`, expecting the creation to fail. + - Try to create a pod named `bad-pod-2` whose image is `busybox` in the `staging-ns` namespace and the `spec.containers[*].securityContext.runAsNonRoot` is set to `false`, expecting the creation to fail. + - Try to create a pod named `bad-pod-3` whose image is `nginx` in the `default` namespace and the `spec.containers[*].securityContext.runAsNonRoot` is set to `false`, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/chainsaw-test.yaml new file mode 100755 index 0000000000..79946e539e --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-running-as-nonroot +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-3.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/exception.yaml new file mode 100644 index 0000000000..aa3f87460d --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/exception.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - restricted + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "Running as Non-root" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.runAsNonRoot" + values: + - "false" \ No newline at end of file diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-allowed-1.yaml new file mode 100644 index 0000000000..bda99bfc8b --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-allowed-1.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-allowed-2.yaml new file mode 100644 index 0000000000..c7e863a3db --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-allowed-2.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-1.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-1.yaml new file mode 100644 index 0000000000..8e8618b559 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-1.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-1 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-2.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-2.yaml new file mode 100644 index 0000000000..3956ea0694 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-2.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-2 + namespace: staging-ns +spec: + containers: + - name: busybox1 + image: busybox + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-3.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-3.yaml new file mode 100644 index 0000000000..ffd927ebab --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/pod-rejected-3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-3 + namespace: default +spec: + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml new file mode 100644 index 0000000000..8220f00568 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/README.md b/test/conformance/chainsaw/exceptions/exclude-seccomp/README.md new file mode 100644 index 0000000000..6e02403faa --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/README.md @@ -0,0 +1,13 @@ +## Description + +This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod in the `staging-ns` namespace and sets the `spec.securityContext.seccompProfile.type` to `Unconfined`. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` in the `default` namespace that doesn't violate the baseline profile, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` in the `staging-ns` namespace and the `spec.securityContext.seccompProfile.type` is set to `Unconfined` and the `spec.containers[*].securityContext.seccompProfile.type` is set to `RuntimeDefault`, expecting the creation to succeed. + - Try to create a pod named `bad-pod-1` in the `staging-ns` namespace and the `spec.securityContext.seccompProfile.type` is set to `Unconfined` and the `spec.containers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to fail. + - Try to create a pod named `bad-pod-2` in the `default` namespace and the `spec.securityContext.seccompProfile.type` is set to `Unconfined` and the `spec.containers[*].securityContext.seccompProfile.type` is set to `Unconfined`, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/chainsaw-test.yaml new file mode 100755 index 0000000000..c21708d6e1 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/chainsaw-test.yaml @@ -0,0 +1,39 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-seccomp +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-2.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/exception.yaml new file mode 100644 index 0000000000..c7780afa97 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/exception.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - baseline + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "Seccomp" + restrictedField: "spec.securityContext.seccompProfile.type" + values: + - "Unconfined" \ No newline at end of file diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-allowed-1.yaml new file mode 100644 index 0000000000..f2bcbd5b68 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-allowed-1.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-allowed-2.yaml new file mode 100644 index 0000000000..45efbed59a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-allowed-2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-rejected-1.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-rejected-1.yaml new file mode 100644 index 0000000000..b05ac2280b --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-rejected-1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-1 + namespace: staging-ns +spec: + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-rejected-2.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-rejected-2.yaml new file mode 100644 index 0000000000..f1959cb6f1 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/pod-rejected-2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-2 + namespace: default +spec: + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml new file mode 100644 index 0000000000..863539b590 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/README.md b/test/conformance/chainsaw/exceptions/exclude-selinux/README.md new file mode 100644 index 0000000000..e353b79895 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/README.md @@ -0,0 +1,17 @@ +## Description + +This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and fields: +1. `spec.containers[*].securityContext.seLinuxOptions.type` is set to `foo`. +2. `spec.initContainers[*].securityContext.seLinuxOptions.type` is set to `bar`. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` in the `default` namespace that doesn't violate the baseline profile, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.seLinuxOptions.type` set to `foo` and `spec.initContainers[*].securityContext.seLinuxOptions.type` set to `bar`, expecting the creation to succeed. + - Try to create a pod named `bad-pod-1` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.seLinuxOptions.type` set to `bar` and `spec.initContainers[*].securityContext.seLinuxOptions.type` set to `foo`, expecting the creation to fail. + - Try to create a pod named `bad-pod-2` whose image is `busybox` in the `staging-ns` namespace with `spec.containers[*].securityContext.seLinuxOptions.type` set to `foo` and `spec.initContainers[*].securityContext.seLinuxOptions.type` set to `bar`, expecting the creation to fail. + - Try to create a pod named `bad-pod-3` whose image is `nginx` in the `staging-ns` namespace with `spec.containers[*].securityContext.seLinuxOptions.type` set to `foo` and `spec.ephemeralContainers[*].securityContext.capabilities.add` set to `bar`, expecting the creation to fail. + - Try to create a pod named `bad-pod-4` whose image is `nginx` in the `default` namespace with `spec.containers[*].securityContext.seLinuxOptions.type` set to `foo` and `spec.initContainers[*].securityContext.seLinuxOptions.type` set to `bar`, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/chainsaw-test.yaml new file mode 100755 index 0000000000..74c5eee99a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/chainsaw-test.yaml @@ -0,0 +1,49 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-selinux +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-3.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-4.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/exception.yaml new file mode 100644 index 0000000000..ebf95b7570 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/exception.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - baseline + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "SELinux" + images: + - nginx + restrictedField: "spec.containers[*].securityContext.seLinuxOptions.type" + values: + - "foo" + - controlName: "SELinux" + images: + - nginx + restrictedField: "spec.initContainers[*].securityContext.seLinuxOptions.type" + values: + - "bar" diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-allowed-1.yaml new file mode 100644 index 0000000000..7795d44790 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-allowed-1.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-allowed-2.yaml new file mode 100644 index 0000000000..6816a097f6 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-allowed-2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: bar diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-1.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-1.yaml new file mode 100644 index 0000000000..a6ea101b3e --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-1.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-1 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: bar + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: foo diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-2.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-2.yaml new file mode 100644 index 0000000000..c0a8311e37 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-2 + namespace: staging-ns +spec: + containers: + - name: busybox1 + image: busybox + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: foo + initContainers: + - name: busybox2 + image: busybox + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: bar diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-3.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-3.yaml new file mode 100644 index 0000000000..2cad30ab0c --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-3.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-3 + namespace: staging-ns +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: foo + ephemeralContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: bar diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-4.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-4.yaml new file mode 100644 index 0000000000..109cdd5d6b --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/pod-rejected-4.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-4 + namespace: default +spec: + containers: + - name: nginx1 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: foo + initContainers: + - name: nginx2 + image: nginx + args: + - sleep + - 1d + securityContext: + seLinuxOptions: + type: bar diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml new file mode 100644 index 0000000000..863539b590 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/README.md b/test/conformance/chainsaw/exceptions/exclude-sysctls/README.md new file mode 100644 index 0000000000..3e4f1be432 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/README.md @@ -0,0 +1,13 @@ +## Description + +This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose namespace is `staging-ns` namespace and sets the `spec.securityContext.sysctls[*].name` to `fake.value`. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` in the `default` namespace whose `spec.securityContext.sysctls[0].name` field is set to `net.ipv4.ip_unprivileged_port_start`, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` in the `staging-ns` namespace whose `spec.securityContext.sysctls[0].name` field is set to `fake.value`, expecting the creation to succeed. + - Try to create a pod named `bad-pod-1` in the `staging-ns` namespace whose `spec.securityContext.sysctls[0].name` field is set to `unknown`, expecting the creation to fail. + - Try to create a pod named `bad-pod-2` in the `default` namespace whose `spec.securityContext.sysctls[0].name` field is set to `fake.value`, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/chainsaw-test.yaml new file mode 100755 index 0000000000..d24d9417a5 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/chainsaw-test.yaml @@ -0,0 +1,39 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-sysctls +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-2.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/exception.yaml new file mode 100644 index 0000000000..ed00705ef3 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/exception.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - baseline + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "Sysctls" + restrictedField: "spec.securityContext.sysctls[*].name" + values: + - "fake.value" diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-allowed-1.yaml new file mode 100644 index 0000000000..08915ff310 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-allowed-1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-allowed-2.yaml new file mode 100644 index 0000000000..b06d399da3 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-allowed-2.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + securityContext: + sysctls: + - name: fake.value + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-rejected-1.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-rejected-1.yaml new file mode 100644 index 0000000000..0ac6823bfc --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-rejected-1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-1 + namespace: staging-ns +spec: + securityContext: + sysctls: + - name: unknown + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-rejected-2.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-rejected-2.yaml new file mode 100644 index 0000000000..78ed39b9f7 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/pod-rejected-2.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-2 + namespace: default +spec: + securityContext: + sysctls: + - name: fake.value + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml new file mode 100644 index 0000000000..863539b590 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/README.md b/test/conformance/chainsaw/exceptions/exclude-volume-types/README.md new file mode 100644 index 0000000000..8124913930 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/README.md @@ -0,0 +1,13 @@ +## Description + +This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose namespace is `staging-ns` namespace and makes use of `spec.volumes[*].flexVolume`. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above. +1. - Try to create a pod named `good-pod-1` in the `default` namespace and makes use of `spec.volumes[*].configMap`, expecting the creation to succeed. + - Try to create a pod named `good-pod-2` in the `staging-ns` namespace and makes use of `spec.volumes[*].flexVolume`, expecting the creation to succeed. + - Try to create a pod named `bad-pod-1` in the `staging-ns` namespace and makes use of `spec.volumes[*].gcePersistentDisk`, expecting the creation to fail. + - Try to create a pod named `bad-pod-2` in the `default` namespace and makes use of `spec.volumes[*].gcePersistentDisk`, expecting the creation to fail. diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/chainsaw-test.yaml new file mode 100755 index 0000000000..b7b2c15e81 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/chainsaw-test.yaml @@ -0,0 +1,39 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: exclude-volume-types +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-03 + try: + - apply: + file: exception.yaml + - name: step-04 + try: + - apply: + file: pod-allowed-1.yaml + - apply: + file: pod-allowed-2.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-rejected-2.yaml diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/exception.yaml new file mode 100644 index 0000000000..45b096a512 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/exception.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: pod-security-exception + namespace: policy-exception-ns +spec: + exceptions: + - policyName: psa + ruleNames: + - restricted + match: + any: + - resources: + namespaces: + - staging-ns + podSecurity: + - controlName: "Volume Types" + restrictedField: "spec.volumes[*].flexVolume" + values: + - "driver" diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/ns.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/ns.yaml new file mode 100644 index 0000000000..2e951f10d4 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: policy-exception-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-allowed-1.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-allowed-1.yaml new file mode 100644 index 0000000000..d65aa409ec --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-allowed-1.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-1 + namespace: default +spec: + volumes: + - name: configmap + configMap: + name: configmap + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-allowed-2.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-allowed-2.yaml new file mode 100644 index 0000000000..85aee391f0 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-allowed-2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-pod-2 + namespace: staging-ns +spec: + volumes: + - name: flex + flexVolume: + driver: /var/lib1 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-rejected-1.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-rejected-1.yaml new file mode 100644 index 0000000000..dd50d16e38 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-rejected-1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-1 + namespace: staging-ns +spec: + volumes: + - name: udev + gcePersistentDisk: + pdName: gke-pv + fsType: ext4 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Localhost + localhostProfile: profiles/audit.json + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-rejected-2.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-rejected-2.yaml new file mode 100644 index 0000000000..6fa7f8b05b --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/pod-rejected-2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod-2 + namespace: staging-ns +spec: + volumes: + - name: udev + gcePersistentDisk: + pdName: gke-pv + fsType: ext4 + containers: + - name: nginx + image: nginx + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Localhost + localhostProfile: profiles/audit.json + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/policy-assert.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/policy-assert.yaml new file mode 100644 index 0000000000..06fe76e564 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml new file mode 100644 index 0000000000..8220f00568 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psa +spec: + background: true + validationFailureAction: Enforce + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest