From 7bae501e7b9dcdb4b7c6821efc8dddddda6a1b50 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Fri, 6 Sep 2019 17:49:51 -0700 Subject: [PATCH 1/3] move resources to seperate folder --- .../{ => resources}/policy_validate_pod_resources.yaml | 0 .../{ => resources}/resource_default_namespace.yaml | 0 .../resource_mutate_pod_disable_automountingapicred.yaml | 0 .../resource_validate_image_latest_ifnotpresent_deny.yaml | 0 .../resource_validate_image_latest_ifnotpresent_pass.yaml | 0 .../resource_validate_image_pullpolicy_notalways_deny.yaml | 0 .../resource_validate_image_pullpolicy_notalways_pass.yaml | 0 .../resource_validate_image_tag_latest_deny.yaml | 0 .../resource_validate_image_tag_latest_pass.yaml | 0 .../resource_validate_image_tag_notspecified_deny.yaml | 0 .../resource_validate_image_tag_notspecified_pass.yaml | 0 .../{ => resources}/resource_validate_pod_resources.yaml | 0 examples/{ => resources}/resource_generate_networkPolicy.yaml | 0 examples/{ => resources}/resource_mutate_endpoint.yaml | 0 examples/{ => resources}/resource_mutate_imagePullPolicy.yaml | 0 examples/{ => resources}/resource_mutate_validate_qos.yaml | 0 .../resource_validate_containerSecurityContext.yaml | 0 examples/{ => resources}/resource_validate_healthChecks.yaml | 0 examples/{ => resources}/resource_validate_imageRegistries.yaml | 0 examples/{ => resources}/resource_validate_nonRootUser.yaml | 0 test/scenarios/test/scenario_generate_networkPolicy.yaml | 2 +- test/scenarios/test/scenario_mutate_endPpoint.yaml | 2 +- test/scenarios/test/scenario_mutate_imagePullPolicy.yaml | 2 +- .../test/scenario_mutate_pod_disable_automountingapicred.yaml | 2 +- test/scenarios/test/scenario_mutate_validate_qos.yaml | 2 +- .../test/scenario_validate_containerSecurityContext.yaml | 2 +- test/scenarios/test/scenario_validate_healthChecks.yaml | 2 +- test/scenarios/test/scenario_validate_imageRegistries.yaml | 2 +- .../test/scenario_validate_image_latest_ifnotpresent_deny.yaml | 2 +- .../test/scenario_validate_image_latest_ifnotpresent_pass.yaml | 2 +- .../test/scenario_validate_image_pullpolicy_notalways_deny.yaml | 2 +- .../test/scenario_validate_image_pullpolicy_notalways_pass.yaml | 2 +- .../scenarios/test/scenario_validate_image_tag_latest_deny.yaml | 2 +- .../scenarios/test/scenario_validate_image_tag_latest_pass.yaml | 2 +- .../test/scenario_validate_image_tag_notspecified_deny.yaml | 2 +- .../test/scenario_validate_image_tag_notspecified_pass.yaml | 2 +- test/scenarios/test/scenario_validate_nonRootUser.yaml | 2 +- 37 files changed, 17 insertions(+), 17 deletions(-) rename examples/best_practices/{ => resources}/policy_validate_pod_resources.yaml (100%) rename examples/best_practices/{ => resources}/resource_default_namespace.yaml (100%) rename examples/best_practices/{ => resources}/resource_mutate_pod_disable_automountingapicred.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_latest_ifnotpresent_deny.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_latest_ifnotpresent_pass.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_pullpolicy_notalways_deny.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_pullpolicy_notalways_pass.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_tag_latest_deny.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_tag_latest_pass.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_tag_notspecified_deny.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_tag_notspecified_pass.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_pod_resources.yaml (100%) rename examples/{ => resources}/resource_generate_networkPolicy.yaml (100%) rename examples/{ => resources}/resource_mutate_endpoint.yaml (100%) rename examples/{ => resources}/resource_mutate_imagePullPolicy.yaml (100%) rename examples/{ => resources}/resource_mutate_validate_qos.yaml (100%) rename examples/{ => resources}/resource_validate_containerSecurityContext.yaml (100%) rename examples/{ => resources}/resource_validate_healthChecks.yaml (100%) rename examples/{ => resources}/resource_validate_imageRegistries.yaml (100%) rename examples/{ => resources}/resource_validate_nonRootUser.yaml (100%) diff --git a/examples/best_practices/policy_validate_pod_resources.yaml b/examples/best_practices/resources/policy_validate_pod_resources.yaml similarity index 100% rename from examples/best_practices/policy_validate_pod_resources.yaml rename to examples/best_practices/resources/policy_validate_pod_resources.yaml diff --git a/examples/best_practices/resource_default_namespace.yaml b/examples/best_practices/resources/resource_default_namespace.yaml similarity index 100% rename from examples/best_practices/resource_default_namespace.yaml rename to examples/best_practices/resources/resource_default_namespace.yaml diff --git a/examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml b/examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml similarity index 100% rename from examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml rename to examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml diff --git a/examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml b/examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml rename to examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml diff --git a/examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml b/examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml rename to examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml diff --git a/examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml b/examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml rename to examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml diff --git a/examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml b/examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml rename to examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml diff --git a/examples/best_practices/resource_validate_image_tag_latest_deny.yaml b/examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_latest_deny.yaml rename to examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml diff --git a/examples/best_practices/resource_validate_image_tag_latest_pass.yaml b/examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_latest_pass.yaml rename to examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml diff --git a/examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml b/examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml rename to examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml diff --git a/examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml b/examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml rename to examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml diff --git a/examples/best_practices/resource_validate_pod_resources.yaml b/examples/best_practices/resources/resource_validate_pod_resources.yaml similarity index 100% rename from examples/best_practices/resource_validate_pod_resources.yaml rename to examples/best_practices/resources/resource_validate_pod_resources.yaml diff --git a/examples/resource_generate_networkPolicy.yaml b/examples/resources/resource_generate_networkPolicy.yaml similarity index 100% rename from examples/resource_generate_networkPolicy.yaml rename to examples/resources/resource_generate_networkPolicy.yaml diff --git a/examples/resource_mutate_endpoint.yaml b/examples/resources/resource_mutate_endpoint.yaml similarity index 100% rename from examples/resource_mutate_endpoint.yaml rename to examples/resources/resource_mutate_endpoint.yaml diff --git a/examples/resource_mutate_imagePullPolicy.yaml b/examples/resources/resource_mutate_imagePullPolicy.yaml similarity index 100% rename from examples/resource_mutate_imagePullPolicy.yaml rename to examples/resources/resource_mutate_imagePullPolicy.yaml diff --git a/examples/resource_mutate_validate_qos.yaml b/examples/resources/resource_mutate_validate_qos.yaml similarity index 100% rename from examples/resource_mutate_validate_qos.yaml rename to examples/resources/resource_mutate_validate_qos.yaml diff --git a/examples/resource_validate_containerSecurityContext.yaml b/examples/resources/resource_validate_containerSecurityContext.yaml similarity index 100% rename from examples/resource_validate_containerSecurityContext.yaml rename to examples/resources/resource_validate_containerSecurityContext.yaml diff --git a/examples/resource_validate_healthChecks.yaml b/examples/resources/resource_validate_healthChecks.yaml similarity index 100% rename from examples/resource_validate_healthChecks.yaml rename to examples/resources/resource_validate_healthChecks.yaml diff --git a/examples/resource_validate_imageRegistries.yaml b/examples/resources/resource_validate_imageRegistries.yaml similarity index 100% rename from examples/resource_validate_imageRegistries.yaml rename to examples/resources/resource_validate_imageRegistries.yaml diff --git a/examples/resource_validate_nonRootUser.yaml b/examples/resources/resource_validate_nonRootUser.yaml similarity index 100% rename from examples/resource_validate_nonRootUser.yaml rename to examples/resources/resource_validate_nonRootUser.yaml diff --git a/test/scenarios/test/scenario_generate_networkPolicy.yaml b/test/scenarios/test/scenario_generate_networkPolicy.yaml index 9c3fe574a2..956ab41d5e 100644 --- a/test/scenarios/test/scenario_generate_networkPolicy.yaml +++ b/test/scenarios/test/scenario_generate_networkPolicy.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_generate_networkPolicy.yaml - resource: examples/resource_generate_networkPolicy.yaml + resource: examples/resources/resource_generate_networkPolicy.yaml expected: generation: generatedResources: diff --git a/test/scenarios/test/scenario_mutate_endPpoint.yaml b/test/scenarios/test/scenario_mutate_endPpoint.yaml index 44af7cab65..b0a890f276 100644 --- a/test/scenarios/test/scenario_mutate_endPpoint.yaml +++ b/test/scenarios/test/scenario_mutate_endPpoint.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_mutate_endpoint.yaml - resource: examples/resource_mutate_endpoint.yaml + resource: examples/resources/resource_mutate_endpoint.yaml expected: mutation: patchedresource: test/output/output_mutate_endpoint.yaml diff --git a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml b/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml index 665c15c956..b20806091a 100644 --- a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml +++ b/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_mutate_imagePullPolicy.yaml - resource: examples/resource_mutate_imagePullPolicy.yaml + resource: examples/resources/resource_mutate_imagePullPolicy.yaml expected: mutation: patchedresource: test/output/output_mutate_imagePullPolicy.yaml diff --git a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml index 189ca4e6e2..b9eaac4340 100644 --- a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml +++ b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml - resource: examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml + resource: examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml expected: mutation: patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml diff --git a/test/scenarios/test/scenario_mutate_validate_qos.yaml b/test/scenarios/test/scenario_mutate_validate_qos.yaml index f06bc30f11..383d001750 100644 --- a/test/scenarios/test/scenario_mutate_validate_qos.yaml +++ b/test/scenarios/test/scenario_mutate_validate_qos.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_mutate_validate_qos.yaml - resource: examples/resource_mutate_validate_qos.yaml + resource: examples/resources/resource_mutate_validate_qos.yaml expected: mutation: patchedresource: test/output/output_mutate_validate_qos.yaml diff --git a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml b/test/scenarios/test/scenario_validate_containerSecurityContext.yaml index c3c179217d..e5dd3df274 100644 --- a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml +++ b/test/scenarios/test/scenario_validate_containerSecurityContext.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_validate_containerSecurityContext.yaml - resource: examples/resource_validate_containerSecurityContext.yaml + resource: examples/resources/resource_validate_containerSecurityContext.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_healthChecks.yaml b/test/scenarios/test/scenario_validate_healthChecks.yaml index c44c8ae26d..ce5ab021e7 100644 --- a/test/scenarios/test/scenario_validate_healthChecks.yaml +++ b/test/scenarios/test/scenario_validate_healthChecks.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_validate_healthChecks.yaml - resource: examples/resource_validate_healthChecks.yaml + resource: examples/resources/resource_validate_healthChecks.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_imageRegistries.yaml b/test/scenarios/test/scenario_validate_imageRegistries.yaml index d17401d507..ec774a6698 100644 --- a/test/scenarios/test/scenario_validate_imageRegistries.yaml +++ b/test/scenarios/test/scenario_validate_imageRegistries.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_validate_imageRegistries.yaml - resource: examples/resource_validate_imageRegistries.yaml + resource: examples/resources/resource_validate_imageRegistries.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml index 95071e9e96..ffdabd6a7a 100644 --- a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml - resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml index 730e94ef45..82458d0ecf 100644 --- a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml - resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml index a057acd15e..3c633e446f 100644 --- a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml - resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml index 50f3b84e8f..d1be03e24f 100644 --- a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml - resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml b/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml index 009107a320..9dba3e53e2 100644 --- a/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_latest_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml b/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml index 3b96ed2342..28ecb0b8f2 100644 --- a/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_latest_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml b/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml index aaeb3d9626..ba4e108170 100644 --- a/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml b/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml index 22b1fe3864..3b004aff15 100644 --- a/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_nonRootUser.yaml b/test/scenarios/test/scenario_validate_nonRootUser.yaml index 36552eb359..17f8024d09 100644 --- a/test/scenarios/test/scenario_validate_nonRootUser.yaml +++ b/test/scenarios/test/scenario_validate_nonRootUser.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_validate_nonRootUser.yaml - resource: examples/resource_validate_nonRootUser.yaml + resource: examples/resources/resource_validate_nonRootUser.yaml expected: validation: policyresponse: From 10c1490817763fbd4d8403d33f01818f6db16ad1 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sat, 7 Sep 2019 10:12:20 -0700 Subject: [PATCH 2/3] Update README.md update table --- examples/best_practices/README.md | 36 +++++++++++++++---------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md index 3b995078d3..2b5bf89c4b 100644 --- a/examples/best_practices/README.md +++ b/examples/best_practices/README.md @@ -3,21 +3,21 @@ This folder contains recommended policies | Best practice | Policy -|------------------------------------------------|-----------------------------------------------------------------------|- -| Run as non-root user | -| Disallow privileged and privilege escalation | -| Disallow use of host networking and ports | -| Disallow use of host filesystem | -| Disallow hostPOD and hostIPC | -| Require read only root filesystem | -| Disallow node ports | -| Allow trusted registries | -| Require resource requests and limits | [container_resources.yaml](container_resources.yaml) -| Require pod liveness and readiness probes | -| Require an image tag | -| Disallow latest tag and pull IfNotPresent | -| Require a namespace (disallow default) | -| Disallow use of kube-system namespace | -| Prevent mounting of service account secret | -| Require a default network policy | -| Require namespace quotas and limit ranges | +|------------------------------------------------|-----------------------------------------------------------------------| +| Run as non-root user | | +| Disallow privileged and privilege escalation | | +| Disallow use of host networking and ports | | +| Disallow use of host filesystem | | +| Disallow hostPOD and hostIPC | | +| Require read only root filesystem | | +| Disallow node ports | | +| Allow trusted registries | | +| Require resource requests and limits | [container_resources.yaml](container_resources.yaml) | +| Require pod liveness and readiness probes | | +| Require an image tag | | +| Disallow latest tag and pull IfNotPresent | | +| Require a namespace (disallow default) | | +| Disallow use of kube-system namespace | | +| Prevent mounting of service account secret | | +| Require a default network policy | | +| Require namespace quotas and limit ranges | | From 59c1e8346655ff5cc69843a46d4d97b190452ec5 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Sun, 8 Sep 2019 10:41:07 -0700 Subject: [PATCH 3/3] upate readme links and remove duplicate policies --- examples/best_practices/README.md | 22 ++++++------ ...allow_priviledgedprivelegesecalation.yaml} | 27 ++------------- ...=> policy_validate_default_namespace.yaml} | 0 .../policy_validate_deny_runasrootuser.yaml | 28 +++++++++++++++ ...=> policy_validate_host_network_port.yaml} | 0 ...th.yaml => policy_validate_host_path.yaml} | 0 ... => policy_validate_image_registries.yaml} | 0 .../resource_default_namespace.yaml | 0 ...utate_pod_disable_automountingapicred.yaml | 0 ...lidate_image_latest_ifnotpresent_deny.yaml | 0 ...lidate_image_latest_ifnotpresent_pass.yaml | 0 ...idate_image_pullpolicy_notalways_deny.yaml | 0 ...idate_image_pullpolicy_notalways_pass.yaml | 0 ...source_validate_image_tag_latest_deny.yaml | 0 ...source_validate_image_tag_latest_pass.yaml | 0 ..._validate_image_tag_notspecified_deny.yaml | 0 ..._validate_image_tag_notspecified_pass.yaml | 0 .../resource_validate_nonRootUser.yaml | 10 ++++++ .../resource_validate_pod_resources.yaml | 0 .../best_practices/validate_image_tag.yaml | 34 ------------------- .../best_practices/validate_pod_probes.yaml | 25 -------------- .../validate_pod_resources.yaml | 25 -------------- .../resource_generate_networkPolicy.yaml | 4 +++ .../resources/resource_mutate_endpoint.yaml | 13 +++++++ .../resource_mutate_imagePullPolicy.yaml | 20 +++++++++++ .../resource_mutate_validate_qos.yaml | 22 ++++++++++++ ...rce_validate_containerSecurityContext.yaml | 22 ++++++++++++ .../resource_validate_healthChecks.yaml | 33 ++++++++++++++++++ .../resource_validate_imageRegistries.yaml | 21 ++++++++++++ .../test/scenario_generate_networkPolicy.yaml | 2 +- .../test/scenario_mutate_endPpoint.yaml | 2 +- .../test/scenario_mutate_imagePullPolicy.yaml | 2 +- ...utate_pod_disable_automountingapicred.yaml | 2 +- .../test/scenario_mutate_validate_qos.yaml | 2 +- ...rio_validate_containerSecurityContext.yaml | 2 +- .../test/scenario_validate_healthChecks.yaml | 2 +- .../scenario_validate_imageRegistries.yaml | 2 +- ...lidate_image_latest_ifnotpresent_deny.yaml | 2 +- ...lidate_image_latest_ifnotpresent_pass.yaml | 2 +- ...idate_image_pullpolicy_notalways_deny.yaml | 2 +- ...idate_image_pullpolicy_notalways_pass.yaml | 2 +- ...enario_validate_image_tag_latest_deny.yaml | 2 +- ...enario_validate_image_tag_latest_pass.yaml | 2 +- ..._validate_image_tag_notspecified_deny.yaml | 2 +- ..._validate_image_tag_notspecified_pass.yaml | 2 +- .../test/scenario_validate_nonRootUser.yaml | 10 +++--- 46 files changed, 207 insertions(+), 141 deletions(-) rename examples/best_practices/{validate_container_security_context.yaml => policy_validate_container_disallow_priviledgedprivelegesecalation.yaml} (52%) rename examples/best_practices/{validate_default_namespace.yaml => policy_validate_default_namespace.yaml} (100%) create mode 100644 examples/best_practices/policy_validate_deny_runasrootuser.yaml rename examples/best_practices/{validate_host_network_port.yaml => policy_validate_host_network_port.yaml} (100%) rename examples/best_practices/{validate_host_path.yaml => policy_validate_host_path.yaml} (100%) rename examples/best_practices/{validate_image_registries.yaml => policy_validate_image_registries.yaml} (100%) rename examples/best_practices/{ => resources}/resource_default_namespace.yaml (100%) rename examples/best_practices/{ => resources}/resource_mutate_pod_disable_automountingapicred.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_latest_ifnotpresent_deny.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_latest_ifnotpresent_pass.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_pullpolicy_notalways_deny.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_pullpolicy_notalways_pass.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_tag_latest_deny.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_tag_latest_pass.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_tag_notspecified_deny.yaml (100%) rename examples/best_practices/{ => resources}/resource_validate_image_tag_notspecified_pass.yaml (100%) create mode 100644 examples/best_practices/resources/resource_validate_nonRootUser.yaml rename examples/best_practices/{ => resources}/resource_validate_pod_resources.yaml (100%) delete mode 100644 examples/best_practices/validate_image_tag.yaml delete mode 100644 examples/best_practices/validate_pod_probes.yaml delete mode 100644 examples/best_practices/validate_pod_resources.yaml create mode 100644 examples/resources/resource_generate_networkPolicy.yaml create mode 100644 examples/resources/resource_mutate_endpoint.yaml create mode 100644 examples/resources/resource_mutate_imagePullPolicy.yaml create mode 100644 examples/resources/resource_mutate_validate_qos.yaml create mode 100644 examples/resources/resource_validate_containerSecurityContext.yaml create mode 100644 examples/resources/resource_validate_healthChecks.yaml create mode 100644 examples/resources/resource_validate_imageRegistries.yaml diff --git a/examples/best_practices/README.md b/examples/best_practices/README.md index 2b5bf89c4b..812b4e8100 100644 --- a/examples/best_practices/README.md +++ b/examples/best_practices/README.md @@ -1,21 +1,19 @@ # Best Practice Policies -This folder contains recommended policies - | Best practice | Policy |------------------------------------------------|-----------------------------------------------------------------------| -| Run as non-root user | | -| Disallow privileged and privilege escalation | | -| Disallow use of host networking and ports | | -| Disallow use of host filesystem | | +| Run as non-root user | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml) | +| Disallow privileged and privilege escalation | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml) | +| Disallow use of host networking and ports | [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml) | +| Disallow use of host filesystem | [policy_validate_host_path.yaml](policy_validate_host_path.yaml) | | Disallow hostPOD and hostIPC | | | Require read only root filesystem | | -| Disallow node ports | | -| Allow trusted registries | | -| Require resource requests and limits | [container_resources.yaml](container_resources.yaml) | -| Require pod liveness and readiness probes | | -| Require an image tag | | -| Disallow latest tag and pull IfNotPresent | | +| Disallow node ports | | +| Allow trusted registries | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml) | +| Require resource requests and limits | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml) | +| Require pod liveness and readiness probes | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml) | +| Require an image tag | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml) | +| Disallow latest tag and pull IfNotPresent | [policy_validate_image_latest_ifnotpresent_deny.yaml](policy_validate_image_latest_ifnotpresent_deny.yaml) | | Require a namespace (disallow default) | | | Disallow use of kube-system namespace | | | Prevent mounting of service account secret | | diff --git a/examples/best_practices/validate_container_security_context.yaml b/examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml similarity index 52% rename from examples/best_practices/validate_container_security_context.yaml rename to examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml index 0faabd160b..b6c26de6fb 100644 --- a/examples/best_practices/validate_container_security_context.yaml +++ b/examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml @@ -1,32 +1,11 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: check-container-security-context + name: validate-deny-privileged-disallowpriviligedescalation spec: validationFailureAction: "audit" rules: - - name: check-root-user - exclude: - resources: - namespaces: - - kube-system - match: - resources: - kinds: - - Pod - validate: - message: "Root user is not allowed. Set runAsNonRoot to true." - anyPattern: - - spec: - securityContext: - runAsNonRoot: true - # pattern: - # spec: - # containers: - # - name: "*" - # securityContext: - # runAsNonRoot: true - - name: check-privilege + - name: deny-privileged-disallowpriviligedescalation exclude: resources: namespaces: @@ -48,4 +27,4 @@ spec: # - name: "*" # securityContext: # allowPrivilegeEscalation: false - # privileged: false + # privileged: false \ No newline at end of file diff --git a/examples/best_practices/validate_default_namespace.yaml b/examples/best_practices/policy_validate_default_namespace.yaml similarity index 100% rename from examples/best_practices/validate_default_namespace.yaml rename to examples/best_practices/policy_validate_default_namespace.yaml diff --git a/examples/best_practices/policy_validate_deny_runasrootuser.yaml b/examples/best_practices/policy_validate_deny_runasrootuser.yaml new file mode 100644 index 0000000000..1dc6796f80 --- /dev/null +++ b/examples/best_practices/policy_validate_deny_runasrootuser.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-deny-runasrootuser +spec: + validationFailureAction: "audit" + rules: + - name: deny-runasrootuser + exclude: + resources: + namespaces: + - kube-system + match: + resources: + kinds: + - Pod + validate: + message: "Root user is not allowed. Set runAsNonRoot to true." + anyPattern: + - spec: + securityContext: + runAsNonRoot: true + # pattern: + # spec: + # containers: + # - name: "*" + # securityContext: + # runAsNonRoot: true \ No newline at end of file diff --git a/examples/best_practices/validate_host_network_port.yaml b/examples/best_practices/policy_validate_host_network_port.yaml similarity index 100% rename from examples/best_practices/validate_host_network_port.yaml rename to examples/best_practices/policy_validate_host_network_port.yaml diff --git a/examples/best_practices/validate_host_path.yaml b/examples/best_practices/policy_validate_host_path.yaml similarity index 100% rename from examples/best_practices/validate_host_path.yaml rename to examples/best_practices/policy_validate_host_path.yaml diff --git a/examples/best_practices/validate_image_registries.yaml b/examples/best_practices/policy_validate_image_registries.yaml similarity index 100% rename from examples/best_practices/validate_image_registries.yaml rename to examples/best_practices/policy_validate_image_registries.yaml diff --git a/examples/best_practices/resource_default_namespace.yaml b/examples/best_practices/resources/resource_default_namespace.yaml similarity index 100% rename from examples/best_practices/resource_default_namespace.yaml rename to examples/best_practices/resources/resource_default_namespace.yaml diff --git a/examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml b/examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml similarity index 100% rename from examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml rename to examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml diff --git a/examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml b/examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml rename to examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml diff --git a/examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml b/examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml rename to examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml diff --git a/examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml b/examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml rename to examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml diff --git a/examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml b/examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml rename to examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml diff --git a/examples/best_practices/resource_validate_image_tag_latest_deny.yaml b/examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_latest_deny.yaml rename to examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml diff --git a/examples/best_practices/resource_validate_image_tag_latest_pass.yaml b/examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_latest_pass.yaml rename to examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml diff --git a/examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml b/examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml rename to examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml diff --git a/examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml b/examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml similarity index 100% rename from examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml rename to examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml diff --git a/examples/best_practices/resources/resource_validate_nonRootUser.yaml b/examples/best_practices/resources/resource_validate_nonRootUser.yaml new file mode 100644 index 0000000000..fe64cbe4bd --- /dev/null +++ b/examples/best_practices/resources/resource_validate_nonRootUser.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sec-ctx-unprivileged +spec: + # securityContext: + # runAsNonRoot: true + containers: + - name: imagen-with-hostpath + image: nginxinc/nginx-unprivileged diff --git a/examples/best_practices/resource_validate_pod_resources.yaml b/examples/best_practices/resources/resource_validate_pod_resources.yaml similarity index 100% rename from examples/best_practices/resource_validate_pod_resources.yaml rename to examples/best_practices/resources/resource_validate_pod_resources.yaml diff --git a/examples/best_practices/validate_image_tag.yaml b/examples/best_practices/validate_image_tag.yaml deleted file mode 100644 index 52aaab8b5f..0000000000 --- a/examples/best_practices/validate_image_tag.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion : kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - annotations: - kyverno.io/category: images - kyverno.io/description: | - ...... - name: validate-image -spec: - rules: - - name: validate-tag - match: - resources: - kinds: - - Pod - validate: - message: "An image tag is required" - pattern: - spec: - containers: - - image: "*:*" - - name: validate-latest - match: - resources: - kinds: - - Pod - validate: - message: "imagePullPolicy 'Always' required with tag 'latest'" - pattern: - spec: - containers: - - (image): "*latest" - imagePullPolicy: Always - diff --git a/examples/best_practices/validate_pod_probes.yaml b/examples/best_practices/validate_pod_probes.yaml deleted file mode 100644 index b720695b3a..0000000000 --- a/examples/best_practices/validate_pod_probes.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: validate-probes -spec: - validationFailureAction: "audit" - rules: - - name: check-probes - match: - resources: - kinds: - - Pod - # exclude: - # namespaces: - # - kube-system - validate: - message: "Liveness and readiness probes are required" - pattern: - spec: - containers: - livenessProbe: - periodSeconds: ">0" - readinessProbe: - periodSeconds: ">0" - diff --git a/examples/best_practices/validate_pod_resources.yaml b/examples/best_practices/validate_pod_resources.yaml deleted file mode 100644 index 4f62e3000e..0000000000 --- a/examples/best_practices/validate_pod_resources.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: ClusterPolicy -metadata: - name: check-resources -spec: - validationFailureAction: "audit" - rules: - - name: check-pod-resources - match: - resources: - kinds: - - Pod - validate: - message: "CPU and memory resource requests and limits are required" - pattern: - spec: - containers: - - name: "*" - resources: - requests: - memory: "?*" - cpu: "?*" - limits: - memory: "?*" - cpu: "?*" diff --git a/examples/resources/resource_generate_networkPolicy.yaml b/examples/resources/resource_generate_networkPolicy.yaml new file mode 100644 index 0000000000..f2b52db070 --- /dev/null +++ b/examples/resources/resource_generate_networkPolicy.yaml @@ -0,0 +1,4 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: "devtest" \ No newline at end of file diff --git a/examples/resources/resource_mutate_endpoint.yaml b/examples/resources/resource_mutate_endpoint.yaml new file mode 100644 index 0000000000..792a83da96 --- /dev/null +++ b/examples/resources/resource_mutate_endpoint.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Endpoints +metadata: + name: test-endpoint + labels: + label : test +subsets: +- addresses: + - ip: 192.168.10.171 + ports: + - name: secure-connection + port: 443 + protocol: TCP \ No newline at end of file diff --git a/examples/resources/resource_mutate_imagePullPolicy.yaml b/examples/resources/resource_mutate_imagePullPolicy.yaml new file mode 100644 index 0000000000..2deff48fef --- /dev/null +++ b/examples/resources/resource_mutate_imagePullPolicy.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginxlatest +spec: + replicas: 1 + selector: + matchLabels: + app: nginxlatest + template: + metadata: + labels: + app: nginxlatest + spec: + containers: + - name: nginx + image: nginx:latest + imagePullPolicy: Always diff --git a/examples/resources/resource_mutate_validate_qos.yaml b/examples/resources/resource_mutate_validate_qos.yaml new file mode 100644 index 0000000000..43abddf1e6 --- /dev/null +++ b/examples/resources/resource_mutate_validate_qos.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: qos-demo + labels: + test: qos +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:latest + resources: + limits: + cpu: "50m" diff --git a/examples/resources/resource_validate_containerSecurityContext.yaml b/examples/resources/resource_validate_containerSecurityContext.yaml new file mode 100644 index 0000000000..4cfa6f96d1 --- /dev/null +++ b/examples/resources/resource_validate_containerSecurityContext.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: csc-demo-unprivileged + labels: + app.type: prod +spec: + replicas: 1 + selector: + matchLabels: + app: psp + template: + metadata: + labels: + app: psp + spec: + containers: + - name: sec-ctx-unprivileged + image: nginxinc/nginx-unprivileged + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false diff --git a/examples/resources/resource_validate_healthChecks.yaml b/examples/resources/resource_validate_healthChecks.yaml new file mode 100644 index 0000000000..8599a904b3 --- /dev/null +++ b/examples/resources/resource_validate_healthChecks.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + test: probe + name: probe +spec: + containers: + - name: check-readiness + image: k8s.gcr.io/busybox + args: + - /bin/sh + - -c + - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600 + readinessProbe: + successThreshold: 3 + exec: + command: + - cat + - /tmp/healthy + - name: check-liveness + image: k8s.gcr.io/liveness + args: + - /server + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + httpHeaders: + - name: Custom-Header + value: Awesome + periodSeconds: 3 \ No newline at end of file diff --git a/examples/resources/resource_validate_imageRegistries.yaml b/examples/resources/resource_validate_imageRegistries.yaml new file mode 100644 index 0000000000..131f6457a4 --- /dev/null +++ b/examples/resources/resource_validate_imageRegistries.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nirmata-nginx + labels: + app: nirmata-nginx + cli: test +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nirmata-nginx + # image: nginx + image: nirmata/nginx diff --git a/test/scenarios/test/scenario_generate_networkPolicy.yaml b/test/scenarios/test/scenario_generate_networkPolicy.yaml index 9c3fe574a2..956ab41d5e 100644 --- a/test/scenarios/test/scenario_generate_networkPolicy.yaml +++ b/test/scenarios/test/scenario_generate_networkPolicy.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_generate_networkPolicy.yaml - resource: examples/resource_generate_networkPolicy.yaml + resource: examples/resources/resource_generate_networkPolicy.yaml expected: generation: generatedResources: diff --git a/test/scenarios/test/scenario_mutate_endPpoint.yaml b/test/scenarios/test/scenario_mutate_endPpoint.yaml index 44af7cab65..b0a890f276 100644 --- a/test/scenarios/test/scenario_mutate_endPpoint.yaml +++ b/test/scenarios/test/scenario_mutate_endPpoint.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_mutate_endpoint.yaml - resource: examples/resource_mutate_endpoint.yaml + resource: examples/resources/resource_mutate_endpoint.yaml expected: mutation: patchedresource: test/output/output_mutate_endpoint.yaml diff --git a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml b/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml index 665c15c956..b20806091a 100644 --- a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml +++ b/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_mutate_imagePullPolicy.yaml - resource: examples/resource_mutate_imagePullPolicy.yaml + resource: examples/resources/resource_mutate_imagePullPolicy.yaml expected: mutation: patchedresource: test/output/output_mutate_imagePullPolicy.yaml diff --git a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml index 189ca4e6e2..b9eaac4340 100644 --- a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml +++ b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml - resource: examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml + resource: examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml expected: mutation: patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml diff --git a/test/scenarios/test/scenario_mutate_validate_qos.yaml b/test/scenarios/test/scenario_mutate_validate_qos.yaml index f06bc30f11..383d001750 100644 --- a/test/scenarios/test/scenario_mutate_validate_qos.yaml +++ b/test/scenarios/test/scenario_mutate_validate_qos.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_mutate_validate_qos.yaml - resource: examples/resource_mutate_validate_qos.yaml + resource: examples/resources/resource_mutate_validate_qos.yaml expected: mutation: patchedresource: test/output/output_mutate_validate_qos.yaml diff --git a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml b/test/scenarios/test/scenario_validate_containerSecurityContext.yaml index c3c179217d..e5dd3df274 100644 --- a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml +++ b/test/scenarios/test/scenario_validate_containerSecurityContext.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_validate_containerSecurityContext.yaml - resource: examples/resource_validate_containerSecurityContext.yaml + resource: examples/resources/resource_validate_containerSecurityContext.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_healthChecks.yaml b/test/scenarios/test/scenario_validate_healthChecks.yaml index c44c8ae26d..ce5ab021e7 100644 --- a/test/scenarios/test/scenario_validate_healthChecks.yaml +++ b/test/scenarios/test/scenario_validate_healthChecks.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_validate_healthChecks.yaml - resource: examples/resource_validate_healthChecks.yaml + resource: examples/resources/resource_validate_healthChecks.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_imageRegistries.yaml b/test/scenarios/test/scenario_validate_imageRegistries.yaml index d17401d507..ec774a6698 100644 --- a/test/scenarios/test/scenario_validate_imageRegistries.yaml +++ b/test/scenarios/test/scenario_validate_imageRegistries.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/policy_validate_imageRegistries.yaml - resource: examples/resource_validate_imageRegistries.yaml + resource: examples/resources/resource_validate_imageRegistries.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml index 95071e9e96..ffdabd6a7a 100644 --- a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml - resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml index 730e94ef45..82458d0ecf 100644 --- a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml - resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml index a057acd15e..3c633e446f 100644 --- a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml - resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml index 50f3b84e8f..d1be03e24f 100644 --- a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml - resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml b/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml index 009107a320..9dba3e53e2 100644 --- a/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_latest_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml b/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml index 3b96ed2342..28ecb0b8f2 100644 --- a/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_latest_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml b/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml index aaeb3d9626..ba4e108170 100644 --- a/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml b/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml index 22b1fe3864..3b004aff15 100644 --- a/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml +++ b/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml - resource: examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml + resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_nonRootUser.yaml b/test/scenarios/test/scenario_validate_nonRootUser.yaml index 36552eb359..f5dae28ef5 100644 --- a/test/scenarios/test/scenario_validate_nonRootUser.yaml +++ b/test/scenarios/test/scenario_validate_nonRootUser.yaml @@ -1,18 +1,18 @@ # file path relative to project root input: - policy: examples/policy_validate_nonRootUser.yaml - resource: examples/resource_validate_nonRootUser.yaml + policy: examples/best_practices/policy_validate_deny_runasrootuser.yaml + resource: examples/best_practices/resources/resource_validate_nonRootUser.yaml expected: validation: policyresponse: - policy: check-container-security-context + policy: validate-deny-runasrootuser resource: kind: Pod apiVersion: v1 namespace: '' name: sec-ctx-unprivileged rules: - - name: check-root-user + - name: deny-runasrootuser type: Validation - message: Validation rule 'check-root-user' failed to validate patterns defined in anyPattern. Root user is not allowed. Set runAsNonRoot to true.; anyPattern[0] failed at path /spec/securityContext/; anyPattern[1] failed at path /spec/containers/0/securityContext/ + message: Validation rule 'deny-runasrootuser' failed to validate patterns defined in anyPattern. Root user is not allowed. Set runAsNonRoot to true.; anyPattern[0] failed at path /spec/securityContext/ success: false \ No newline at end of file