diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md index 3b995078d3..812b4e8100 100644 --- a/examples/best_practices/README.md +++ b/examples/best_practices/README.md @@ -1,23 +1,21 @@ # Best Practice Policies -This folder contains recommended policies - | Best practice | Policy -|------------------------------------------------|-----------------------------------------------------------------------|- -| Run as non-root user | -| Disallow privileged and privilege escalation | -| Disallow use of host networking and ports | -| Disallow use of host filesystem | -| Disallow hostPOD and hostIPC | -| Require read only root filesystem | -| Disallow node ports | -| Allow trusted registries | -| Require resource requests and limits | [container_resources.yaml](container_resources.yaml) -| Require pod liveness and readiness probes | -| Require an image tag | -| Disallow latest tag and pull IfNotPresent | -| Require a namespace (disallow default) | -| Disallow use of kube-system namespace | -| Prevent mounting of service account secret | -| Require a default network policy | -| Require namespace quotas and limit ranges | +|------------------------------------------------|-----------------------------------------------------------------------| +| Run as non-root user | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml) | +| Disallow privileged and privilege escalation | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml) | +| Disallow use of host networking and ports | [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml) | +| Disallow use of host filesystem | [policy_validate_host_path.yaml](policy_validate_host_path.yaml) | +| Disallow hostPOD and hostIPC | | +| Require read only root filesystem | | +| Disallow node ports | | +| Allow trusted registries | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml) | +| Require resource requests and limits | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml) | +| Require pod liveness and readiness probes | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml) | +| Require an image tag | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml) | +| Disallow latest tag and pull IfNotPresent | [policy_validate_image_latest_ifnotpresent_deny.yaml](policy_validate_image_latest_ifnotpresent_deny.yaml) | +| Require a namespace (disallow default) | | +| Disallow use of kube-system namespace | | +| Prevent mounting of service account secret | | +| Require a default network policy | | +| Require namespace quotas and limit ranges | | diff --git a/examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml b/examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml new file mode 100644 index 0000000000..0e8900c870 --- /dev/null +++ b/examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-deny-privileged-disallowpriviligedescalation +spec: + validationFailureAction: "audit" + rules: + - name: deny-privileged-disallowpriviligedescalation + exclude: + resources: + namespaces: + - kube-system + match: + resources: + kinds: + - Pod + validate: + message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false" + anyPattern: + - spec: + securityContext: + allowPrivilegeEscalation: false + privileged: false + # pattern: + # spec: + # containers: + # - name: "*" + # securityContext: + # allowPrivilegeEscalation: false + # privileged: false diff --git a/examples/best_practices/policy_validate_container_security_context.yaml b/examples/best_practices/policy_validate_container_security_context.yaml deleted file mode 100644 index 816f63f7cc..0000000000 --- a/examples/best_practices/policy_validate_container_security_context.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: check-container-security-context -spec: - validationFailureAction: "audit" - rules: - - name: check-root-user - exclude: - resources: - namespaces: - - kube-system - match: - resources: - kinds: - - Pod - validate: - message: "Root user is not allowed. Set runAsNonRoot to true." - anyPattern: - - spec: - securityContext: - runAsNonRoot: true - - name: check-privilege - exclude: - resources: - namespaces: - - kube-system - match: - resources: - kinds: - - Pod - validate: - message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false" - pattern: - spec: - containers: - - name: "*" - securityContext: - allowPrivilegeEscalation: false - privileged: false diff --git a/examples/best_practices/validate_default_namespace.yaml b/examples/best_practices/policy_validate_default_namespace.yaml similarity index 100% rename from examples/best_practices/validate_default_namespace.yaml rename to examples/best_practices/policy_validate_default_namespace.yaml diff --git a/examples/best_practices/policy_validate_deny_runasrootuser.yaml b/examples/best_practices/policy_validate_deny_runasrootuser.yaml new file mode 100644 index 0000000000..1dc6796f80 --- /dev/null +++ b/examples/best_practices/policy_validate_deny_runasrootuser.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-deny-runasrootuser +spec: + validationFailureAction: "audit" + rules: + - name: deny-runasrootuser + exclude: + resources: + namespaces: + - kube-system + match: + resources: + kinds: + - Pod + validate: + message: "Root user is not allowed. Set runAsNonRoot to true." + anyPattern: + - spec: + securityContext: + runAsNonRoot: true + # pattern: + # spec: + # containers: + # - name: "*" + # securityContext: + # runAsNonRoot: true \ No newline at end of file diff --git a/examples/best_practices/validate_host_network_port.yaml b/examples/best_practices/policy_validate_host_network_port.yaml similarity index 100% rename from examples/best_practices/validate_host_network_port.yaml rename to examples/best_practices/policy_validate_host_network_port.yaml diff --git a/examples/best_practices/validate_host_path.yaml b/examples/best_practices/policy_validate_host_path.yaml similarity index 100% rename from examples/best_practices/validate_host_path.yaml rename to examples/best_practices/policy_validate_host_path.yaml diff --git a/examples/best_practices/validate_image_registries.yaml b/examples/best_practices/policy_validate_image_registries.yaml similarity index 100% rename from examples/best_practices/validate_image_registries.yaml rename to examples/best_practices/policy_validate_image_registries.yaml diff --git a/examples/best_practices/policy_validate_pod_resources.yaml b/examples/best_practices/resources/policy_validate_pod_resources.yaml similarity index 100% rename from examples/best_practices/policy_validate_pod_resources.yaml rename to examples/best_practices/resources/policy_validate_pod_resources.yaml diff --git a/examples/best_practices/resource_default_namespace.yaml b/examples/best_practices/resources/resource_default_namespace.yaml similarity index 100% rename from examples/best_practices/resource_default_namespace.yaml rename to examples/best_practices/resources/resource_default_namespace.yaml diff --git a/examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml b/examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml similarity index 100% rename from examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml rename to examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml diff --git a/examples/best_practices/resources/resource_validate_container_security_context.yaml b/examples/best_practices/resources/resource_validate_container_security_context.yaml deleted file mode 100644 index 48dba8fe6c..0000000000 --- a/examples/best_practices/resources/resource_validate_container_security_context.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: check-container-security-context -spec: - securityContext: - runAsNonRoot: true - containers: - - name: check-container-security-context - image: nginxinc/nginx-unprivileged - securityContext: - allowPrivilegeEscalation: true - privileged: false diff --git a/examples/best_practices/resources/resource_validate_deny_runasrootuser.yaml b/examples/best_practices/resources/resource_validate_deny_runasrootuser.yaml new file mode 100644 index 0000000000..7b16e9bace --- /dev/null +++ b/examples/best_practices/resources/resource_validate_deny_runasrootuser.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: check-root-user +spec: + securityContext: + runAsNonRoot: true + containers: + - name: check-root-user + image: nginxinc/nginx-unprivileged + # securityContext: + # allowPrivilegeEscalation: true + # privileged: false diff --git a/examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml b/examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml rename to examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml diff --git a/examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml b/examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml rename to examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml diff --git a/examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml b/examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml rename to examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml diff --git a/examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml b/examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml rename to examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml diff --git a/examples/best_practices/resource_validate_image_tag_latest_deny.yaml b/examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_latest_deny.yaml rename to examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml diff --git a/examples/best_practices/resource_validate_image_tag_latest_pass.yaml b/examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_latest_pass.yaml rename to examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml diff --git a/examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml b/examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml rename to examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml diff --git a/examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml b/examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml rename to examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml diff --git a/examples/resource_validate_nonRootUser.yaml b/examples/best_practices/resources/resource_validate_nonRootUser.yaml similarity index 100% rename from examples/resource_validate_nonRootUser.yaml rename to examples/best_practices/resources/resource_validate_nonRootUser.yaml diff --git a/examples/best_practices/resource_validate_pod_resources.yaml b/examples/best_practices/resources/resource_validate_pod_resources.yaml similarity index 100% rename from examples/best_practices/resource_validate_pod_resources.yaml rename to examples/best_practices/resources/resource_validate_pod_resources.yaml diff --git a/examples/best_practices/validate_image_tag.yaml b/examples/best_practices/validate_image_tag.yaml deleted file mode 100644 index 52aaab8b5f..0000000000 --- a/examples/best_practices/validate_image_tag.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion : kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - annotations: - kyverno.io/category: images - kyverno.io/description: | - ...... - name: validate-image -spec: - rules: - - name: validate-tag - match: - resources: - kinds: - - Pod - validate: - message: "An image tag is required" - pattern: - spec: - containers: - - image: "*:*" - - name: validate-latest - match: - resources: - kinds: - - Pod - validate: - message: "imagePullPolicy 'Always' required with tag 'latest'" - pattern: - spec: - containers: - - (image): "*latest" - imagePullPolicy: Always - diff --git a/examples/best_practices/validate_pod_probes.yaml b/examples/best_practices/validate_pod_probes.yaml deleted file mode 100644 index b720695b3a..0000000000 --- a/examples/best_practices/validate_pod_probes.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-probes -spec: - validationFailureAction: "audit" - rules: - - name: check-probes - match: - resources: - kinds: - - Pod - # exclude: - # namespaces: - # - kube-system - validate: - message: "Liveness and readiness probes are required" - pattern: - spec: - containers: - livenessProbe: - periodSeconds: ">0" - readinessProbe: - periodSeconds: ">0" - diff --git a/examples/best_practices/validate_pod_resources.yaml b/examples/best_practices/validate_pod_resources.yaml deleted file mode 100644 index 4f62e3000e..0000000000 --- a/examples/best_practices/validate_pod_resources.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: check-resources -spec: - validationFailureAction: "audit" - rules: - - name: check-pod-resources - match: - resources: - kinds: - - Pod - validate: - message: "CPU and memory resource requests and limits are required" - pattern: - spec: - containers: - - name: "*" - resources: - requests: - memory: "?*" - cpu: "?*" - limits: - memory: "?*" - cpu: "?*" diff --git a/examples/resource_generate_networkPolicy.yaml b/examples/resources/resource_generate_networkPolicy.yaml similarity index 100% rename from examples/resource_generate_networkPolicy.yaml rename to examples/resources/resource_generate_networkPolicy.yaml diff --git a/examples/resource_mutate_endpoint.yaml b/examples/resources/resource_mutate_endpoint.yaml similarity index 100% rename from examples/resource_mutate_endpoint.yaml rename to examples/resources/resource_mutate_endpoint.yaml diff --git a/examples/resource_mutate_imagePullPolicy.yaml b/examples/resources/resource_mutate_imagePullPolicy.yaml similarity index 100% rename from examples/resource_mutate_imagePullPolicy.yaml rename to examples/resources/resource_mutate_imagePullPolicy.yaml diff --git a/examples/resource_mutate_validate_qos.yaml b/examples/resources/resource_mutate_validate_qos.yaml similarity index 100% rename from examples/resource_mutate_validate_qos.yaml rename to examples/resources/resource_mutate_validate_qos.yaml diff --git a/examples/resource_validate_containerSecurityContext.yaml b/examples/resources/resource_validate_containerSecurityContext.yaml similarity index 100% rename from examples/resource_validate_containerSecurityContext.yaml rename to examples/resources/resource_validate_containerSecurityContext.yaml diff --git a/examples/resource_validate_healthChecks.yaml b/examples/resources/resource_validate_healthChecks.yaml similarity index 100% rename from examples/resource_validate_healthChecks.yaml rename to examples/resources/resource_validate_healthChecks.yaml diff --git a/examples/resource_validate_imageRegistries.yaml b/examples/resources/resource_validate_imageRegistries.yaml similarity index 100% rename from examples/resource_validate_imageRegistries.yaml rename to examples/resources/resource_validate_imageRegistries.yaml diff --git a/examples/resources/resource_validate_nonRootUser.yaml b/examples/resources/resource_validate_nonRootUser.yaml new file mode 100644 index 0000000000..fe64cbe4bd --- /dev/null +++ b/examples/resources/resource_validate_nonRootUser.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sec-ctx-unprivileged +spec: + # securityContext: + # runAsNonRoot: true + containers: + - name: imagen-with-hostpath + image: nginxinc/nginx-unprivileged diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 5aa74f992c..0177b9ee96 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -18,8 +18,8 @@ func Test_validate_containerSecurityContext(t *testing.T) { testScenario(t, "/test/scenarios/test/scenario_validate_containerSecurityContext.yaml") } -func Test_validate_checkContainerSecurityContext(t *testing.T) { - testScenario(t, "/test/scenarios/test/scenario_validate_container_security_context.yaml") +func Test_validate_deny_runasrootuser(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_deny_runasrootuser.yaml.yaml") } func Test_validate_healthChecks(t *testing.T) { diff --git a/test/scenarios/test/scenario_generate_networkPolicy.yaml b/test/scenarios/test/scenario_generate_networkPolicy.yaml index 9c3fe574a2..956ab41d5e 100644 --- a/test/scenarios/test/scenario_generate_networkPolicy.yaml +++ b/test/scenarios/test/scenario_generate_networkPolicy.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_generate_networkPolicy.yaml - resource: examples/resource_generate_networkPolicy.yaml + resource: examples/resources/resource_generate_networkPolicy.yaml expected: generation: generatedResources: diff --git a/test/scenarios/test/scenario_mutate_endPpoint.yaml b/test/scenarios/test/scenario_mutate_endPpoint.yaml index 44af7cab65..b0a890f276 100644 --- a/test/scenarios/test/scenario_mutate_endPpoint.yaml +++ b/test/scenarios/test/scenario_mutate_endPpoint.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_mutate_endpoint.yaml - resource: examples/resource_mutate_endpoint.yaml + resource: examples/resources/resource_mutate_endpoint.yaml expected: mutation: patchedresource: test/output/output_mutate_endpoint.yaml diff --git a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml b/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml index 665c15c956..b20806091a 100644 --- a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml +++ b/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_mutate_imagePullPolicy.yaml - resource: examples/resource_mutate_imagePullPolicy.yaml + resource: examples/resources/resource_mutate_imagePullPolicy.yaml expected: mutation: patchedresource: test/output/output_mutate_imagePullPolicy.yaml diff --git a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml index 189ca4e6e2..b9eaac4340 100644 --- a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml +++ b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml - resource: examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml + resource: examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml expected: mutation: patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml diff --git a/test/scenarios/test/scenario_mutate_validate_qos.yaml b/test/scenarios/test/scenario_mutate_validate_qos.yaml index f06bc30f11..383d001750 100644 --- a/test/scenarios/test/scenario_mutate_validate_qos.yaml +++ b/test/scenarios/test/scenario_mutate_validate_qos.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_mutate_validate_qos.yaml - resource: examples/resource_mutate_validate_qos.yaml + resource: examples/resources/resource_mutate_validate_qos.yaml expected: mutation: patchedresource: test/output/output_mutate_validate_qos.yaml diff --git a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml b/test/scenarios/test/scenario_validate_containerSecurityContext.yaml index c3c179217d..e5dd3df274 100644 --- a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml +++ b/test/scenarios/test/scenario_validate_containerSecurityContext.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_validate_containerSecurityContext.yaml - resource: examples/resource_validate_containerSecurityContext.yaml + resource: examples/resources/resource_validate_containerSecurityContext.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_container_security_context.yaml b/test/scenarios/test/scenario_validate_container_security_context.yaml deleted file mode 100644 index 6e2c1f1522..0000000000 --- a/test/scenarios/test/scenario_validate_container_security_context.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# file path relative to project root -input: - policy: examples/best_practices/policy_validate_container_security_context.yaml - resource: examples/best_practices/resources/resource_validate_container_security_context.yaml -expected: - validation: - policyresponse: - policy: check-container-security-context - resource: - kind: Pod - apiVersion: v1 - namespace: '' - name: check-container-security-context - rules: - - name: check-root-user - type: Validation - message: "Validation rule 'check-root-user' anyPattern[0] succesfully validated" - success: true - - name: check-privilege - type: Validation - message: "Validation rule 'check-privilege' failed at '/spec/containers/0/securityContext/allowPrivilegeEscalation/' for resource Pod//check-container-security-context. Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false" - success: false diff --git a/test/scenarios/test/scenario_validate_deny_runasrootuser.yaml.yaml b/test/scenarios/test/scenario_validate_deny_runasrootuser.yaml.yaml new file mode 100644 index 0000000000..daccfc050a --- /dev/null +++ b/test/scenarios/test/scenario_validate_deny_runasrootuser.yaml.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_deny_runasrootuser.yaml + resource: examples/best_practices/resources/resource_validate_deny_runasrootuser.yaml +expected: + validation: + policyresponse: + policy: validate-deny-runasrootuser + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: check-root-user + rules: + - name: deny-runasrootuser + type: Validation + message: "Validation rule 'deny-runasrootuser' anyPattern[0] succesfully validated" + success: true diff --git a/test/scenarios/test/scenario_validate_healthChecks.yaml b/test/scenarios/test/scenario_validate_healthChecks.yaml index c44c8ae26d..ce5ab021e7 100644 --- a/test/scenarios/test/scenario_validate_healthChecks.yaml +++ b/test/scenarios/test/scenario_validate_healthChecks.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_validate_healthChecks.yaml - resource: examples/resource_validate_healthChecks.yaml + resource: examples/resources/resource_validate_healthChecks.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_imageRegistries.yaml b/test/scenarios/test/scenario_validate_imageRegistries.yaml index d17401d507..ec774a6698 100644 --- a/test/scenarios/test/scenario_validate_imageRegistries.yaml +++ b/test/scenarios/test/scenario_validate_imageRegistries.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_validate_imageRegistries.yaml - resource: examples/resource_validate_imageRegistries.yaml + resource: examples/resources/resource_validate_imageRegistries.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml index 95071e9e96..ffdabd6a7a 100644 --- a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml - resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml index 730e94ef45..82458d0ecf 100644 --- a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml - resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml index a057acd15e..3c633e446f 100644 --- a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml - resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml index 50f3b84e8f..d1be03e24f 100644 --- a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml - resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml b/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml index 009107a320..9dba3e53e2 100644 --- a/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_latest_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml b/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml index 3b96ed2342..28ecb0b8f2 100644 --- a/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_latest_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml b/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml index aaeb3d9626..ba4e108170 100644 --- a/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml b/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml index 22b1fe3864..3b004aff15 100644 --- a/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_nonRootUser.yaml b/test/scenarios/test/scenario_validate_nonRootUser.yaml index 36552eb359..f5dae28ef5 100644 --- a/test/scenarios/test/scenario_validate_nonRootUser.yaml +++ b/test/scenarios/test/scenario_validate_nonRootUser.yaml @@ -1,18 +1,18 @@ # file path relative to project root input: - policy: examples/policy_validate_nonRootUser.yaml - resource: examples/resource_validate_nonRootUser.yaml + policy: examples/best_practices/policy_validate_deny_runasrootuser.yaml + resource: examples/best_practices/resources/resource_validate_nonRootUser.yaml expected: validation: policyresponse: - policy: check-container-security-context + policy: validate-deny-runasrootuser resource: kind: Pod apiVersion: v1 namespace: '' name: sec-ctx-unprivileged rules: - - name: check-root-user + - name: deny-runasrootuser type: Validation - message: Validation rule 'check-root-user' failed to validate patterns defined in anyPattern. Root user is not allowed. Set runAsNonRoot to true.; anyPattern[0] failed at path /spec/securityContext/; anyPattern[1] failed at path /spec/containers/0/securityContext/ + message: Validation rule 'deny-runasrootuser' failed to validate patterns defined in anyPattern. Root user is not allowed. Set runAsNonRoot to true.; anyPattern[0] failed at path /spec/securityContext/ success: false \ No newline at end of file